Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 13 Feb 2017 10:30:10 +0000 (UTC)
From: S├ębastien Delafond <seb@...ian.org>
To: oss-security@...ts.openwall.com
Subject: Re: CVE request: XXE in Openpyxl

On 2017-02-07, Doran Moppert <dmoppert@...hat.com> wrote:
> This is yet another instance of CVE-2016-9318.  As already observed
> on the Debian tracker, disabling entity resolution altogether is
> probably going to make openpyxl fail on well-formed Excel documents
> using standard entities such as &lt;.

Hi Doran,

we do not see this issue being technically the same thing as
CVE-2016-9318. openpyxl shouldn't need to resolve *external* XML
entities, and the initial reporter of the Debian bug tested that the
upstream patch doesn't break reglar entities like "&lt"; and
"&gt;". What do you think ?

Cheers,

--Seb

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ