Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 14 Feb 2017 11:55:00 +1030
From: Doran Moppert <dmoppert@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: Re: CVE request: XXE in Openpyxl

On Feb 13 2017, S├ębastien Delafond wrote:
> On 2017-02-07, Doran Moppert <dmoppert@...hat.com> wrote:
> > This is yet another instance of CVE-2016-9318.  As already observed
> > on the Debian tracker, disabling entity resolution altogether is
> > probably going to make openpyxl fail on well-formed Excel documents
> > using standard entities such as &lt;.
> 
> we do not see this issue being technically the same thing as
> CVE-2016-9318. openpyxl shouldn't need to resolve *external* XML
> entities, and the initial reporter of the Debian bug tested that the
> upstream patch doesn't break reglar entities like "&lt"; and
> "&gt;". What do you think ?

My mistake - thanks for bringing this up!

It appears that resolve_entities=False (ie. options &= ~XML_PARSE_NOENT)
does *not* affect the expansion of predefined entities or character
entities.  See [1], [2] and parser.c + HTMLparser.c in libxml source.

1: https://www.xml.com/pub/a/98/08/xmlqna1.html
2: https://en.wikipedia.org/wiki/List_of_XML_and_HTML_character_entity_references

These flags *do* control the expansion of internal entities, but I
expect that most common protocols and file formats should not rely on
those - including Excel.  As long as openpyxl has no need to resolve
internal entities, nor perform DTD validation, CVE-2016-9318 is not
relevant and the proposed patch looks correct.


So yes, the original CVE request was valid and should go ahead:

> the Debian Security Team would like to request a CVE for an XML XEE
> discovered in Openpyxl by Marcin Ulikowski from F-Secure; Openpyxl
> resolves external entities by default:
> 
>   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854442
>   https://bitbucket.org/openpyxl/openpyxl/commits/3b4905f428e1

Also: https://bitbucket.org/openpyxl/openpyxl/issues/749


Sorry about muddying the water with misunderstanding(s).  The tricky
part of CVE-2016-9318 seems to be particular requirements of components
like xmlsec that want internal entity resolution without XXE, or DTD
validation without exposing the whole filesystem.

-- 
Doran Moppert
Red Hat Product Security

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ