Disable XML entity expansion in DMG file parsing

XML entity expansion may be used to load an XML entity from a (different) local file than the file being scanned if the scanning process can read the referenced file path. This may be used to leak information from the local file to the person who initiated the scan. The libxml2 option XML_PARSE_NOENT means that no entities should be left in the document and not that no entities should be resolved. This commit removes that option.
Cisco-Talos · Feb 12, 2023 · 86a6c8c · 86a6c8c
1 parent 7a645d9
commit 86a6c8c
Showing 1 changed file with 1 addition and 2 deletions.
diff --git a/libclamav/dmg.c b/libclamav/dmg.c
@@ -206,8 +206,7 @@ int cli_scandmg(cli_ctx *ctx)
 /* This is the block where we require libxml2 */
 #if HAVE_LIBXML2
 
-/* XML_PARSE_NOENT | XML_PARSE_NONET | XML_PARSE_COMPACT */
-#define DMG_XML_PARSE_OPTS ((1 << 1 | 1 << 11 | 1 << 16) | CLAMAV_MIN_XMLREADER_FLAGS)
+#define DMG_XML_PARSE_OPTS ((XML_PARSE_NONET | XML_PARSE_COMPACT) | CLAMAV_MIN_XMLREADER_FLAGS)
 
     reader = xmlReaderForMemory(outdata, (int)hdr.xmlLength, "toc.xml", NULL, DMG_XML_PARSE_OPTS);
     if (!reader) {