Date: Thu, 19 Jan 2017 18:04:45 +1030 From: Doran Moppert <dmoppert@...hat.com> To: oss-security@...ts.openwall.com Cc: seb@...ian.org, cve-assign@...re.org Subject: Re: Re: CVE request: python-pysaml2 XML external entity attack I think this CVE needs some clarification. On Jan 10 2017, cve-assign@...re.org wrote: > > python-pysaml2 does > > not sanitize SAML XML requests or responses: > > > > https://github.com/rohe/pysaml2/issues/366 > > https://github.com/rohe/pysaml2/pull/379 > > https://bugs.debian.org/850716 > > https://github.com/rohe/pysaml2/commit/6e09a25d9b4b7aa7a506853210a9a14100b8bc9b issues/376 identifies an XML External Entity flaw (CWE-611), but the "related commit" 6e09a25d and pull request 379 addresses only Billion Laughs vulnerabilities (CWE-776). While the patch's commit message seems to be incorrect in mentioning XXE, it does not claim to fix issues/379, which is (correctly) still open. Thus the below description of CVE-2016-10127 is inconsistent - the vulnerability addressed by 6e09a25 is CWE-776, which is excluded from the CVE's coverage by the third list item. > Use CVE-2016-10127 for the vulnerability addressed by "Fix XXE in XML > parsing" in 6e09a25d9b4b7aa7a506853210a9a14100b8bc9b. > > The scope of this CVE does not include the various other issues that > may be found in the above references: > > - it does not include any aspect of > https://bugzilla.gnome.org/show_bug.cgi?id=772726 > > - it does not include any vulnerabilities in the XML Security Library > (xmlsec), such as ones that are now, or previously were, listed at > https://github.com/lsh123/xmlsec/issues > > - it does not include any CWE-776 (Entity Expansion) issues that may > have been fixed as a side effect of > 6e09a25d9b4b7aa7a506853210a9a14100b8bc9b (possibly there are new > test cases in 6e09a25d9b4b7aa7a506853210a9a14100b8bc9b for CWE-776) This can be seen also by noticing that the patch substitues "defusedxml.ElementTree" for "xml.etree.ElementTree" (and its native code equivalent cElementTree), and consulting the table and note #1 at: https://docs.python.org/2/library/xml.html#xml-vulnerabilities which points out that "etree" is vulnerable to CWE-776 but not to CWE-611. The CWE-611 vulnerability in libxml2 (CVE-2016-9318) is still exposed in pysaml2, via its use of lxml and xmlsec. The exposure via lxml may be mitigable by disabling entity resolution altogether (resolve_entities=False), but xmlsec seems to lack any such switch. -- Doran Moppert Red Hat Product Security [ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ