Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 28 Mar 2016 13:12:44 -0400 (EDT)
From: cve-assign@...re.org
To: joerg.schaible@....de
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE request - XStream: XXE vulnerability

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> XStream (x-stream.github.io) ... An attacker could therefore provide
> manipulated XML as input to access data on the file system
> 
> Since XStream 1.4.9 all parsers are configured to ignore external entities
> by default as far as such behavior is configurable:
> http://x-stream.github.io/changes.html#1.4.9

Use CVE-2016-3674 for the XStream vulnerability that was resolved by
this change.


> Applications using XOM or explicitly BEA's old StAX reference parser are
> still vulnerable, we found no way to deactivate processing of external
> entities for those two.

These seem to be present in one or more Linux distributions and thus
might have widespread deployment, e.g.,

  http://pkgs.fedoraproject.org/cgit/rpms/xom.git
  http://pkgs.fedoraproject.org/cgit/rpms/bea-stax.git

Within the context of XStream itself, we do not feel that the
XomDriver or BEAStaxDriver behavior should have a CVE stating that
version 1.4.9 is vulnerable, because
http://x-stream.github.io/faq.html#Security_XXEVulnerability
explicitly documents the behavior, and XStream users could reasonably
be expected to look at that FAQ document before choosing XomDriver or
BEAStaxDriver for use with untrusted XML documents.

However, that FAQ document might suggest that the underlying problems
are upstream implementation errors, e.g., the design of these pieces
of code would be reasonably expected to support ignoring all external
entities but did not achieve that:

  https://java.net/projects/xom/sources/svn/content/trunk/src/nu/xom/tests/BuilderTest.java
  private static class NonEntityResolvingFilter extends XMLFilterImpl

  https://repository.jboss.org/nexus/content/groups/public-jboss/stax/stax-src/1.2.0/stax-src-1.2.0.distribution-zip
  src/com/bea/xml/stream/ConfigurationContextBase.java

Does anyone want to request two CVE IDs for these two products? (We
think that the StAX issue is more general than CVE-2013-7315.)

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJW+WWhAAoJEL54rhJi8gl5ASUP/iZGOTiraYf0lVA5xgjcfbN6
7kqf5Oqlv/FH4Vrj5qe2irFrQ0bZuZbMoLtSUFWq/bBTPcxa8ITd/sJB6f9N5/tw
P/EseQRf/HfpzSSKPjuOUNIMYoJ7ik2UAdeClndCiHZtHqvp4and+pXk3yM3J4fV
BLXcecUhQf0qZuC4RIglK5VEe62hMiEMHSRglt7B1rNJimpBbID0ObNOUqKjjEQA
sIwbAl0Mm9Vebennxb7uJB5gCEbZKhL9APJay5NzBp3fPB0a2upHSNZ6gouCBha1
3CBqVdFQxYYEyQ0iB3A7kKTR7f5d8CtO8aBGwolkoH2dcRxpvMfdFV3EsxvDxiiZ
p6IM+VFa/SgxOeaDhlVZeqtlGvzgTMNSdi9l34352RQuniloGBq/GQvwh54PaaQy
netM0hUmKgR+O+WMC2gV+WFgTQYnUP94zx0D6P3Eq25S04RlQQIkK5aYP7iVsKRw
lxZGgjnTUG5MgFSec+bjKqCDcSTCg/BQ2rKGWsAvKV0tjePauQ9OHohumNvSVaxo
/ju9jZKNsKXBZPB6g1Tk8JG9WkifpdarfxAtlkBmbpJaqYbfIn6jlbYGE4ZD1ovl
Q2TQ0GRfMW2c8vKhYUB/FDT7hEcRjAe6gH9SXGMV9q94zPsgF72EHOqG+srT6+tQ
aHE6v/IZoJHc0cPvyGzy
=g/fx
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ