CVE for several versions of libxml2

[shawnlaffan]

From GHSA-6c2p-rqx3-w4px

In libxml2 2.11 before 2.11.9, 2.12 before 2.12.9, and 2.13 before 2.13.3, the SAX parser can produce events for external entities even if custom SAX handlers try to override entity content (by setting "checked"). This makes classic XXE attacks possible.

Should these be added to the list of bad versions in the alienfile?

[plicease]

Probably. @shlomif do you have any concerns?

[mohawk2]

@shawnlaffan I'd suggest that the possibility of XXE is the most essential reason to mark them bad? :-)

[plicease]

@shawnlaffan can you do a PR?

[shawnlaffan]

@shawnlaffan can you do a PR?

Will work one up tomorrow.

XML::LibXML currently does not pass tests with the latest version of libxml so Alien::LibXML should probably restrict itself to one that works (2.12.x). XML::LibXML is also up for adoption so probably won't be fixed in the short term.

[shawnlaffan]

PR logged. It does not specify a maximum version but that can be done as a separate PR if XML::LibXML is not updated to work with libxml 2.13.

[shawnlaffan]

PR #45 addresses specific versions, but the more recent CVE indicates that anything prior to 2.12.10 should be avoided.

We could add more bad flags but it is perhaps simpler to specify a minimum version. That's easy for pkg-config probes, but the alienfile uses several methods and it's not clear from the docs if they support an atleast_version flag.

A more general thought is that it would be useful to have an Alien::Build plugin that searches the CVE database for known issues and flags those versions as bad. Net::CVE seems to work from my limited testing.

[plicease]

A more general thought is that it would be useful to have an Alien::Build plugin that searches the CVE database for known issues and flags those versions as bad. Net::CVE seems to work from my limited testing.

That sounds like it would be a very useful integration. I don't have the bandwidth to work on a design for this do you (or anyone else) have some time to export this and maybe come up with a PoC?

[shawnlaffan]

A more general thought is that it would be useful to have an Alien::Build plugin that searches the CVE database for known issues and flags those versions as bad. Net::CVE seems to work from my limited testing.

That sounds like it would be a very useful integration. I don't have the bandwidth to work on a design for this do you (or anyone else) have some time to export this and maybe come up with a PoC?

I've created PerlAlien/Alien-Build#424

That leaves the need to set libxml2 versions earlier than 2.12.10 as bad being discussed here. I could just add more bad version entries but the blanket min version is simpler. The sticking point for me is that not all probes in the alienfile seem to support an atleast_version argument.