Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 19 Jan 2017 18:04:45 +1030
From: Doran Moppert <dmoppert@...hat.com>
To: oss-security@...ts.openwall.com
Cc: seb@...ian.org, cve-assign@...re.org
Subject: Re: Re: CVE request: python-pysaml2 XML external
 entity attack

I think this CVE needs some clarification.

On Jan 10 2017, cve-assign@...re.org wrote:
> > python-pysaml2 does
> > not sanitize SAML XML requests or responses:
> > 
> >   https://github.com/rohe/pysaml2/issues/366
> >   https://github.com/rohe/pysaml2/pull/379
> >   https://bugs.debian.org/850716
> >   https://github.com/rohe/pysaml2/commit/6e09a25d9b4b7aa7a506853210a9a14100b8bc9b

issues/376 identifies an XML External Entity flaw (CWE-611), but the
"related commit" 6e09a25d and pull request 379 addresses only Billion
Laughs vulnerabilities (CWE-776).

While the patch's commit message seems to be incorrect in mentioning
XXE, it does not claim to fix issues/379, which is (correctly) still
open.

Thus the below description of CVE-2016-10127 is inconsistent - the
vulnerability addressed by 6e09a25 is CWE-776, which is excluded from
the CVE's coverage by the third list item.

> Use CVE-2016-10127 for the vulnerability addressed by "Fix XXE in XML
> parsing" in 6e09a25d9b4b7aa7a506853210a9a14100b8bc9b.
> 
> The scope of this CVE does not include the various other issues that
> may be found in the above references:
> 
>  - it does not include any aspect of
>    https://bugzilla.gnome.org/show_bug.cgi?id=772726
> 
>  - it does not include any vulnerabilities in the XML Security Library
>    (xmlsec), such as ones that are now, or previously were, listed at
>    https://github.com/lsh123/xmlsec/issues
> 
>  - it does not include any CWE-776 (Entity Expansion) issues that may
>    have been fixed as a side effect of
>    6e09a25d9b4b7aa7a506853210a9a14100b8bc9b (possibly there are new
>    test cases in 6e09a25d9b4b7aa7a506853210a9a14100b8bc9b for CWE-776)

This can be seen also by noticing that the patch substitues
"defusedxml.ElementTree" for "xml.etree.ElementTree" (and its native
code equivalent cElementTree), and consulting the table and note #1 at:

https://docs.python.org/2/library/xml.html#xml-vulnerabilities

which points out that "etree" is vulnerable to CWE-776 but not to
CWE-611.

The CWE-611 vulnerability in libxml2 (CVE-2016-9318) is still exposed in
pysaml2, via its use of lxml and xmlsec.

The exposure via lxml may be mitigable by disabling entity resolution
altogether (resolve_entities=False), but xmlsec seems to lack any such
switch.

-- 
Doran Moppert
Red Hat Product Security

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.