Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sat, 02 Mar 2013 21:28:06 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Marcus Meissner <meissner@...e.de>, Steven Christey <coley@...re.org>
Subject: Re: CVE request: ruby-openid XML denial of service
 attack

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/01/2013 08:50 AM, Marcus Meissner wrote:
> Hi,
> 
> ruby-openid is affected by a XML denial of service (Entity
> Expansion Attack / out of memory) attack as recently described.
> 
> https://github.com/openid/ruby-openid/commit/a3693cef06049563f5b4e4824f4d3211288508ed
>
> 
https://github.com/openid/ruby-openid/pull/43
> https://bugzilla.novell.com/show_bug.cgi?id=804717
> 
> Ciao, Marcus

Hrmm yeah. They disable entity expansion (which seems like a safe bet
for OpenID based XML stuff).

Please use CVE-2013-1812 for this issue, specifically for XIE (XML
Internal Entity expansion).

Just a note on XML External Entity (XXE) expansion in ruby-openid
which uses rexml, according to:

https://pypi.python.org/pypi/defusedxml/0.3

Ruby's REXML document parser is vulnerable to entity expansion attacks
(both quadratic and exponential) but it doesn't do external entity
expansion by default. In order to counteract entity expansion you have
to disable the feature:

REXML::Document.entity_expansion_limit = 0

libxml-ruby and hpricot don't expand entities in their default
configuration. So in general the CVEs I'm assigning to ruby stuff will
be for internal entity expansion and not for external entity expansion
since a protective mechanism exists that the application can use.
Steve does that sound right?

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRMtFWAAoJEBYNRVNeJnmTtwsQANEQx507H3QFM79mfBdvLWVc
WZ8PSosOjd6Iazrv57JzgHsN3/cLINN/b5Kw4YVYvOELjn2U8+eJ2HpXsRBQWtVP
axNBWNqrCWSeVmOiBPOThEthcwTi5udn9g/xs8AlOiDY91/HQ6DPwda6uaCq2cMA
2HQaARCM+az2Zq/qIx4bSZ+jZFtIdbyHsQGyNjbDA6Y542OJ/EtDh10RXMf0tdlz
6pu/sWPmaEh0NLt/8hoWyGMYrxnbO/1epa20kGYG5cA8ztAoZc4rmi3DK6wliHzI
UDnM9O+P0d0rvAZLGI4wnEgtP25I3Qda2xkjESquYvD8beRSxVco+m+XjqDJJJ4y
X+HzhnicEsHRbNsvqdmCgzcKIhdgPwUxXuuM+v+8qnCMTciowd/+IKp0WkLIyaWR
hYgCAhh1yGAmJj4TevyiI+k4tHLQW+4io5zvf5UhVCNNpkzOEPbHDBEAooG5WyHq
VyKkHYk/852yXCNQJeG/4cwpnsM3UoLP2fmbfFVJwvCi7xxjllhFtKKJIhDK7L32
qIWYxmIs6rAwQaSBuhxlxhJbJwS/jEFyT16JmZmB+vtX2gX4ywN/KywLFFW7TOUe
VYjNo2Mt1+Upk0b14Wl3ETpspfIVOaeVQ46aey/t0YR2bz7fixA45kzul/XbF3O0
GJ/stSkpOTP6J+V1SE4Y
=RW+7
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.