Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 8 Feb 2017 10:27:46 +1030
From: Doran Moppert <dmoppert@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE request: XXE in Openpyxl

On Feb 07 2017, S├ębastien Delafond wrote:
> the Debian Security Team would like to request a CVE for an XML XEE
> discovered in Openpyxl by Marcin Ulikowski from F-Secure; Openpyxl
> resolves external entities by default:
> 
>   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854442
>   https://bitbucket.org/openpyxl/openpyxl/commits/3b4905f428e1

This is yet another instance of CVE-2016-9318.  As already observed on
the Debian tracker, disabling entity resolution altogether is probably
going to make openpyxl fail on well-formed Excel documents using
standard entities such as &lt;.

-- 
Doran Moppert
Red Hat Product Security

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ