Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 19 Jan 2017 18:04:45 +1030
From: Doran Moppert <>
Subject: Re: Re: CVE request: python-pysaml2 XML external
 entity attack

I think this CVE needs some clarification.

On Jan 10 2017, wrote:
> > python-pysaml2 does
> > not sanitize SAML XML requests or responses:
> > 
> >
> >
> >
> >

issues/376 identifies an XML External Entity flaw (CWE-611), but the
"related commit" 6e09a25d and pull request 379 addresses only Billion
Laughs vulnerabilities (CWE-776).

While the patch's commit message seems to be incorrect in mentioning
XXE, it does not claim to fix issues/379, which is (correctly) still

Thus the below description of CVE-2016-10127 is inconsistent - the
vulnerability addressed by 6e09a25 is CWE-776, which is excluded from
the CVE's coverage by the third list item.

> Use CVE-2016-10127 for the vulnerability addressed by "Fix XXE in XML
> parsing" in 6e09a25d9b4b7aa7a506853210a9a14100b8bc9b.
> The scope of this CVE does not include the various other issues that
> may be found in the above references:
>  - it does not include any aspect of
>  - it does not include any vulnerabilities in the XML Security Library
>    (xmlsec), such as ones that are now, or previously were, listed at
>  - it does not include any CWE-776 (Entity Expansion) issues that may
>    have been fixed as a side effect of
>    6e09a25d9b4b7aa7a506853210a9a14100b8bc9b (possibly there are new
>    test cases in 6e09a25d9b4b7aa7a506853210a9a14100b8bc9b for CWE-776)

This can be seen also by noticing that the patch substitues
"defusedxml.ElementTree" for "xml.etree.ElementTree" (and its native
code equivalent cElementTree), and consulting the table and note #1 at:

which points out that "etree" is vulnerable to CWE-776 but not to

The CWE-611 vulnerability in libxml2 (CVE-2016-9318) is still exposed in
pysaml2, via its use of lxml and xmlsec.

The exposure via lxml may be mitigable by disabling entity resolution
altogether (resolve_entities=False), but xmlsec seems to lack any such

Doran Moppert
Red Hat Product Security

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ