Multiple security issues in ezxml #2119
Comments
|
It does seem unfortunate that netcdf is using an xml parser that hasn't been updated in over 15 years. |
|
I found nothing that came close in size -- 1 .c and 1 .h files -- and with a usable license. |
|
I went thru this list again to see what was new: https://awesomeopensource.com/projects/xml-parser |
|
Why not just link to libxml2? Don't include an XML library in your source tree. |
|
And and yet another burden to our users? |
|
I would argue that there is nothing particularly simple about parsing XML, particularly in a safe manner. Also, packaging/building libraries is what distributions and sysadmins are meant to do and is not rocket science. It's the 21st century, let's take advantage of it. |
|
Sorry, and I do not mean to be rude. But my experience is that despite what we wish were true, My recent experience trying to support the aws-sdk-cpp library across just Linux and Windows is a good example. It is overkill, but I am forced to use it. After much pain, I finally got it to build on a specific version of Ubuntu, but not on earlier versions of Ubuntu. I still do not have it working on Windows. God knows what will happen with other versions of Linux, or OSX. It would be nice if the C eco-system were as clean as Python or Java, but it is not. |
|
libxml2 is everywhere where GNOME is, this includes Linux, BSD, OSX, and Windows: http://xmlsoft.org/downloads.html It's a good example of a cross-platform library. Your experience says more about the (lack of) portability of aws-sdk-cpp and means nothing with respect to libxml2. |
|
With respect to dependencies, hdf5 is a very problematic one. It does not support building both parallel and serial versions at the same time, and required far too much customization in its Debian package. There is also no public VCS nor bugtracker, bitbucket.hdfgroup.org & jira.hdfgroup.org are recent improvements but are still not good enough. |
|
The primary issue here is that the bundled XML interface has a number of CVE's, and is very out of date. The ideal solution would be to link against an external interface, The confounding factor, as usual, is Windows. The link provided above, thanks @sebastic, leads me through a couple levels of links and ultimately takes me to 32-bit Windows versions from 2011, and 64-bit versions from 2015. Not the solution we are looking for. On Windows, we provide binary installers for netCDF which bundle So the situation, in summary, is as follows:
I think we are all on the same page when it comes to the urgency to address these CVEs. The issue, as always, is how do we solve this in a way that doesn't leave our Windows/Visual Studio users in a tough spot.
|
|
|
Sorry to get my back up over this. I will switch to libxml if you want. But I just |
|
@DennisHeimbigner No issue, I was just outlining my thoughts above while I was looking at the issue. The burden of dependencies on our users is a big one, and the lack of any sort of universal package manager for binary installation makes it a particularly sticky issue for Windows. Thanks for getting the issues as outlined resolved! |
## Examine and fix ezxml errors re: Issue Unidata#2119 Multiple security issues were found in ezxml (see above Issue). * CVE-2021-31598 * CVE-2021-31348 / CVE-2021-31347 * CVE-2021-31229 * CVE-2021-30485 * CVE-2021-26222 * CVE-2021-26221 * CVE-2021-26220 * CVE-2019-20202 * CVE-2019-20201 * CVE-2019-20200 * CVE-2019-20199 * CVE-2019-20198 * CVE-2019-20007 * CVE-2019-20006 * CVE-2019-20005 In addition, moved ezxml to libdispatch. ## Examine and fix selected oss-fuzz detected errors Note that most of these errors are in the libsrc .m4 generated code so fixing them is difficult. It would nice if we could tell oss-fuzz to skip those files. They are old and crufty and probably need a complete refactor. Issue|Status -----|------ 35382|Fixed; old bug 35398|Closed by OSS-Fuzz 35442|Guarantee alloc > 0 or error; Old bug 35721|Assert failure; ok 35992|Fixed; old bug 36038|Fixed; old bug 36129|Unfixed; old bug 36229|Fixed by adding assert; old bug 37476|Unfixed; old bug 37824|Assert Failure; ok 38300|Closed by OSS-Fuzz 38537|Unfixed; old bug 38658|Unfixed; old bug 38699|Fixed maybe; old bug 38772|Nature of error is unclear, suspect that it results from using too large a type. 39248|Need more information 39394|Unfixed; old bug
|
THis issue can be closed |
|
I'm not sure about closing this. I found several issues:
With all this said, how much do these issues matter in the context of netcdf-c? So far, this code is only used in the context of DAP4 to transmit information from a dap4 server to a client using netcdf-c. |
re: Unidata#2117 re: Unidata#2119 * Modify libsrc to allow byte-range reading of netcdf-3 files in private S3 buckets; this required using the aws sdk. Also add a test case. * The aws sdk can sometimes cause problems if the Awd::ShutdownAPI function is not called. So at optional atexit() support to ensure it is called. This is disabled for Windows. * Add documentation to nczarr.md on how to build and use the aws sdk under windows. Currently it builds, but testing fails. * Switch testing from stratus to the Unidata bucket on S3. * Improve support for the s3: url protocol. * Add a s3 specific utility code file: ds3util.c * Modify NC_infermodel to attempt to read the magic number of byte-ranged files in S3. ## Misc. * Move and rename the core S3 SDK wrapper code (libnczarr/zs3sdk.cpp) to libdispatch since it now used in libsrc as well as libnczarr. * Add calls to nc_finalize in the utilities in case atexit is disabled. * Add header only json parser to the distribution rather than as a built source.
|
Thanks, I should have thought of that. Just because I do not want to depend on libxml2 |
I've looked into this a bit over the weekend. It seems to be doable and libxml2 looks like a good option: it is a DOM parser like ezxml. Other parsers, like xpat, are streaming parsers using callbacks which would make an integration extremely difficult. |
|
Don't bother. I already have start on this. |
re: Unidata#2119 H/T to [Egbert Eich](https://github.com/e4t) and [Bas Couwenberg](https://github.com/sebastic) for this PR. It is undesirable to make netcdf be dependent on the availability of libxml2, but it is desirable to allow its use if available. In order to do this, a wrapper API (include/ncxml.h) was constructed that supports either ezxml or libxml2 as the implementation. Additionally, the xml support code was moved to a new directory netcdf-c/libncxml. Primary changes: * Create a new sub-directory named netcdf-c/libncxml to hold all the xml implementation code. * Move ezxml.c and ezxml.h to libncxml * Create a wrapper API -- include/ncxml.h * Create an implementation, ncxml_ezxml.c to support use of ezxml. * Create an implementation, ncxml_xml2.c to support use of libxml2. * Add a check for libxml2 in configure.ac and CMakeLists.txt * Modify libdap to use the wrapper API instead of ezxml directly. Misc. Other Changes: * Change include/netcdf_json.h from built source to be part of the distribution.
re: PR Unidata#2139 re: PR Unidata#2169 re: PR Unidata#2146 re: Issue Unidata#2119 Found the product tinyxml2 at https://github.com/leethomason/tinyxml2.git and replaced ezxml with it. Tinyxml2 is about twice the LOC of ezxml, but at least is it still being maintained, and I can use it out of the box. It is C++ rather than C, but we seem to have reached the point that we can include C++ code with only minor compile flag changes. Untested on Mac OS. Added instructions to the end of libncxml/Makefile.am on how to upgrade to a later version of tinyxml2. This PR obsoletes the use of ezxml (re PRs Unidata#2146 and https://github.com/Unidata/netcdf-c/issue/2119).
|
It seems that libxml2 is falling away from current maintenance. I started #2169 to consider the choice for the default XML parser for netcdf. Currently this is tinyxml2 versus libxml2. Commenters, if you have any insights related to this choice, please add to #2169. Thank you. |
As reported by Moritz Muehlenhoff in Debian Bug #989360:
The text was updated successfully, but these errors were encountered: