Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 11 Jan 2017 15:23:55 +1030
From: Doran Moppert <dmoppert@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: Re: CVE request: python-pysaml2 XML external
 entity attack

On Jan 10 2017, cve-assign@...re.org wrote:
> > python-pysaml2 does
> > not sanitize SAML XML requests or responses:
> > 
> >   https://github.com/rohe/pysaml2/commit/6e09a25d9b4b7aa7a506853210a9a14100b8bc9b
> 
> Use CVE-2016-10127 for the vulnerability addressed by "Fix XXE in XML
> parsing" in 6e09a25d9b4b7aa7a506853210a9a14100b8bc9b.

> The scope of this CVE does not include the various other issues that
> may be found in the above references:
> 
>  - it does not include any aspect of
>    https://bugzilla.gnome.org/show_bug.cgi?id=772726

This (libxml2 XXE) has already been assigned CVE-2016-9318.

I have proposed a(n incomplete) patch on that ticket, but do not have
sufficient familiarity with libxml2 to be sure it is sound (and thus
worth completing with proper tests and docs).  If it is, it's possible
that downstream projects could apply a similar patch in client code
while remaining compatible with current (unpatched) libxml2.

Even if this gets into libxml2, client code will need to enable a new
option explicitly to prevent XXE.  There's an argument to make NOXXE
default behaviour, but this could potentially impact a lot of projects
that silently rely on some form of external entity resolution.


>  - it does not include any vulnerabilities in the XML Security Library
>    (xmlsec), such as ones that are now, or previously were, listed at
>    https://github.com/lsh123/xmlsec/issues

xmlsec is exposed to CVE-2016-9318, but considers this a bug in libxml2
and at present has no plans to provide a workaround.  I expect a CVE
assignment for xmlsec will only be needed if it is fixed/worked around
in that project.


-- 
Doran Moppert
Red Hat Product Security

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.