Date: Tue, 14 Feb 2017 11:55:00 +1030 From: Doran Moppert <dmoppert@...hat.com> To: oss-security@...ts.openwall.com Subject: Re: Re: CVE request: XXE in Openpyxl On Feb 13 2017, Sébastien Delafond wrote: > On 2017-02-07, Doran Moppert <dmoppert@...hat.com> wrote: > > This is yet another instance of CVE-2016-9318. As already observed > > on the Debian tracker, disabling entity resolution altogether is > > probably going to make openpyxl fail on well-formed Excel documents > > using standard entities such as <. > > we do not see this issue being technically the same thing as > CVE-2016-9318. openpyxl shouldn't need to resolve *external* XML > entities, and the initial reporter of the Debian bug tested that the > upstream patch doesn't break reglar entities like "<"; and > ">". What do you think ? My mistake - thanks for bringing this up! It appears that resolve_entities=False (ie. options &= ~XML_PARSE_NOENT) does *not* affect the expansion of predefined entities or character entities. See ,  and parser.c + HTMLparser.c in libxml source. 1: https://www.xml.com/pub/a/98/08/xmlqna1.html 2: https://en.wikipedia.org/wiki/List_of_XML_and_HTML_character_entity_references These flags *do* control the expansion of internal entities, but I expect that most common protocols and file formats should not rely on those - including Excel. As long as openpyxl has no need to resolve internal entities, nor perform DTD validation, CVE-2016-9318 is not relevant and the proposed patch looks correct. So yes, the original CVE request was valid and should go ahead: > the Debian Security Team would like to request a CVE for an XML XEE > discovered in Openpyxl by Marcin Ulikowski from F-Secure; Openpyxl > resolves external entities by default: > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854442 > https://bitbucket.org/openpyxl/openpyxl/commits/3b4905f428e1 Also: https://bitbucket.org/openpyxl/openpyxl/issues/749 Sorry about muddying the water with misunderstanding(s). The tricky part of CVE-2016-9318 seems to be particular requirements of components like xmlsec that want internal entity resolution without XXE, or DTD validation without exposing the whole filesystem. -- Doran Moppert Red Hat Product Security [ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ