Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 19 Jan 2017 18:04:45 +1030
From: Doran Moppert <dmoppert@...hat.com>
To: oss-security@...ts.openwall.com
Cc: seb@...ian.org, cve-assign@...re.org
Subject: Re: Re: CVE request: python-pysaml2 XML external
 entity attack

I think this CVE needs some clarification.

On Jan 10 2017, cve-assign@...re.org wrote:
> > python-pysaml2 does
> > not sanitize SAML XML requests or responses:
> > 
> >   https://github.com/rohe/pysaml2/issues/366
> >   https://github.com/rohe/pysaml2/pull/379
> >   https://bugs.debian.org/850716
> >   https://github.com/rohe/pysaml2/commit/6e09a25d9b4b7aa7a506853210a9a14100b8bc9b

issues/376 identifies an XML External Entity flaw (CWE-611), but the
"related commit" 6e09a25d and pull request 379 addresses only Billion
Laughs vulnerabilities (CWE-776).

While the patch's commit message seems to be incorrect in mentioning
XXE, it does not claim to fix issues/379, which is (correctly) still
open.

Thus the below description of CVE-2016-10127 is inconsistent - the
vulnerability addressed by 6e09a25 is CWE-776, which is excluded from
the CVE's coverage by the third list item.

> Use CVE-2016-10127 for the vulnerability addressed by "Fix XXE in XML
> parsing" in 6e09a25d9b4b7aa7a506853210a9a14100b8bc9b.
> 
> The scope of this CVE does not include the various other issues that
> may be found in the above references:
> 
>  - it does not include any aspect of
>    https://bugzilla.gnome.org/show_bug.cgi?id=772726
> 
>  - it does not include any vulnerabilities in the XML Security Library
>    (xmlsec), such as ones that are now, or previously were, listed at
>    https://github.com/lsh123/xmlsec/issues
> 
>  - it does not include any CWE-776 (Entity Expansion) issues that may
>    have been fixed as a side effect of
>    6e09a25d9b4b7aa7a506853210a9a14100b8bc9b (possibly there are new
>    test cases in 6e09a25d9b4b7aa7a506853210a9a14100b8bc9b for CWE-776)

This can be seen also by noticing that the patch substitues
"defusedxml.ElementTree" for "xml.etree.ElementTree" (and its native
code equivalent cElementTree), and consulting the table and note #1 at:

https://docs.python.org/2/library/xml.html#xml-vulnerabilities

which points out that "etree" is vulnerable to CWE-776 but not to
CWE-611.

The CWE-611 vulnerability in libxml2 (CVE-2016-9318) is still exposed in
pysaml2, via its use of lxml and xmlsec.

The exposure via lxml may be mitigable by disabling entity resolution
altogether (resolve_entities=False), but xmlsec seems to lack any such
switch.

-- 
Doran Moppert
Red Hat Product Security

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ