Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 9 Jun 2014 09:15:38 -0700
From: Tim <tim-security@...tinelchicken.org>
To: Tomas Hoger <thoger@...hat.com>
Cc: oss-security@...ts.openwall.com
Subject: Re: CVE-2014-0191 libxml2: external parameter entity
 loaded when entity substitution is disabled



> > I did end up releasing my paper recently, which I believe has
> > up-to-date recommendations for Xerces:
> >   http://vsecurity.com/download/papers/XMLDTDEntityAttacks.pdf
> 
> It continues to mention setExpandEntityReferences, hinting that should
> be expected to provide security protections (text seems to imply
> external entities are not expanded in documents, but they are still
> defined and remote URLs fetched).  As previously mentioned, the setting
> only changes DOM tree layout, and does not disable entity expansion.
> 
> E.g. parsing the following two inputs (one using internal other
> external general entity):
> 
> $ cat test1.xml 
> <?xml version="1.0"?>
> <!DOCTYPE bleh [
> <!ENTITY bar "BAR">
> ]>
> <root>foo &bar; baz</root>
> 
> $ cat test2.xml 
> <?xml version="1.0"?>
> <!DOCTYPE bleh [
> <!ENTITY bar SYSTEM "test2-bar.txt">
> ]>
> <root>foo &bar; baz</root>
> 
> $ cat test2-bar.txt 
> BAR
> 
> Setting setExpandEntityReferences to false changes the tree from:
> 
> - (Element) <root>
>   - (Text) foo BAR baz
> 
> to:
> 
> - (Element) <root>
>   - (Text) foo 
>   - (Entity Reference) &bar;
>   - (Text) BAR baz
> 
> &bar; is expanded to BAR either way.


Hmm, that's not the behavior I observed.  I'll try to find some time
to rerun my tests and compare notes with you off list.

tim

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ