Bug#1005281: libxml-libxml-perl: breaks validation, which succeeds even though the DTD could not be loaded

Vincent Lefevre vincent at vinc17.net
Thu Feb 10 12:59:23 GMT 2022 

Package: libxml-libxml-perl
Version: 2.0207+dfsg-2
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: Debian Security Team <team at security.debian.org>

The recent change about load_ext_dtd introduced an unexpected issue,
with possible security implications: when one sets validation to 1
without also setting load_ext_dtd to 1, the document is always
regarded as valid.

It is probable that existing scripts that set validation to 1 do not
explicitly set load_ext_dtd to 1, because load_ext_dtd = 1 was the
default and also because it is rather obvious that if the user wants
validation, he also wants to load the DTD, which is needed for the
validation. So this silently breaks validation. This may have security
implications as validation can normally be used to check that input
from untrusted source does not contain unexpected contents (e.g.
contents that is likely to yield data injection).

See for instance: https://cwe.mitre.org/data/definitions/112.html

Example:

------------------------------------------------------------
#!/usr/bin/env perl

# Update the xhtml directory.

use strict;
use XML::LibXML;

my $s = <<EOF;
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE root SYSTEM "does-not-exist.dtd">
<root/>
EOF

my $parser = XML::LibXML->new();
$parser->validation(1);
my $doc = $parser->parse_string($s);
------------------------------------------------------------

With libxml-libxml-perl 2.0134+dfsg-2, the fact that the DTD could not
be loaded was properly reported, with a fatal error:

:2: I/O error : failed to load external entity "does-not-exist.dtd"
<!DOCTYPE root SYSTEM "does-not-exist.dtd">
                                           ^
:3: validity error : Validation failed: no DTD found !
<root/>
     ^

-- System Information:
Debian Release: bookworm/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'stable-updates'), (500, 'stable-security'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.16.0-1-amd64 (SMP w/12 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=POSIX, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages libxml-libxml-perl depends on:
ii  libc6                         2.33-5
ii  libxml-namespacesupport-perl  1.12-1.1
ii  libxml-sax-perl               1.02+dfsg-3
ii  libxml2                       2.9.12+dfsg-5+b1
ii  perl                          5.32.1-6
ii  perl-base [perlapi-5.32.1]    5.32.1-6

libxml-libxml-perl recommends no packages.

libxml-libxml-perl suggests no packages.

-- no debconf information

-- 
Vincent Lefèvre <vincent at vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

More information about the pkg-perl-maintainers mailing list