Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 22 Feb 2013 10:24:12 -0800
From: Tim <tim-security@...tinelchicken.org>
To: oss-security@...ts.openwall.com
Cc: Mitre CVE assign department <cve-assign@...re.org>
Subject: Re: CVEs for libxml2 and expat internal and
 external XML entity expansion


>  > Please use CVE-2013-0338 for libxml2 internal entity expansion
> 
> Hasn't libxml2 got countermeasures for that?

Yeah, I believe so.  Last I looked, I came up with recommendations for
folks to use xmlCtxtUseOptions with XML_PARSE_NOENT, XML_PARSE_NONET,
and XML_PARSE_DTDLOAD set appropriately.  However, it wasn't 100%
clear to me at the time if these addressed all edge cases.  In
particular, I didn't care much about the DoS cases at the time, but
hopefully if DTDs are ignored, then it wouldn't be an issue.  

I'd love to hear from an expert on this matter.  For sure the
documentation needs to be improved...


>  > Please use CVE-2013-0341 for expat external entities expansion
> 
> I don't think expat resolves external entities at all.  Therefore, the
> vulnerability resides entirely in the code which uses expat.

Last I checked, I came to the same conclusion.


tim

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.