Date: Mon, 9 Jun 2014 09:15:38 -0700 From: Tim <tim-security@...tinelchicken.org> To: Tomas Hoger <thoger@...hat.com> Cc: oss-security@...ts.openwall.com Subject: Re: CVE-2014-0191 libxml2: external parameter entity loaded when entity substitution is disabled > > I did end up releasing my paper recently, which I believe has > > up-to-date recommendations for Xerces: > > http://vsecurity.com/download/papers/XMLDTDEntityAttacks.pdf > > It continues to mention setExpandEntityReferences, hinting that should > be expected to provide security protections (text seems to imply > external entities are not expanded in documents, but they are still > defined and remote URLs fetched). As previously mentioned, the setting > only changes DOM tree layout, and does not disable entity expansion. > > E.g. parsing the following two inputs (one using internal other > external general entity): > > $ cat test1.xml > <?xml version="1.0"?> > <!DOCTYPE bleh [ > <!ENTITY bar "BAR"> > ]> > <root>foo &bar; baz</root> > > $ cat test2.xml > <?xml version="1.0"?> > <!DOCTYPE bleh [ > <!ENTITY bar SYSTEM "test2-bar.txt"> > ]> > <root>foo &bar; baz</root> > > $ cat test2-bar.txt > BAR > > Setting setExpandEntityReferences to false changes the tree from: > > - (Element) <root> > - (Text) foo BAR baz > > to: > > - (Element) <root> > - (Text) foo > - (Entity Reference) &bar; > - (Text) BAR baz > > &bar; is expanded to BAR either way. Hmm, that's not the behavior I observed. I'll try to find some time to rerun my tests and compare notes with you off list. tim
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ