Date: Wed, 8 Feb 2017 10:27:46 +1030 From: Doran Moppert <dmoppert@...hat.com> To: oss-security@...ts.openwall.com Subject: Re: CVE request: XXE in Openpyxl On Feb 07 2017, Sébastien Delafond wrote: > the Debian Security Team would like to request a CVE for an XML XEE > discovered in Openpyxl by Marcin Ulikowski from F-Secure; Openpyxl > resolves external entities by default: > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854442 > https://bitbucket.org/openpyxl/openpyxl/commits/3b4905f428e1 This is yet another instance of CVE-2016-9318. As already observed on the Debian tracker, disabling entity resolution altogether is probably going to make openpyxl fail on well-formed Excel documents using standard entities such as <. -- Doran Moppert Red Hat Product Security [ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ