Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 14 Feb 2017 11:55:00 +1030
From: Doran Moppert <>
Subject: Re: Re: CVE request: XXE in Openpyxl

On Feb 13 2017, S├ębastien Delafond wrote:
> On 2017-02-07, Doran Moppert <> wrote:
> > This is yet another instance of CVE-2016-9318.  As already observed
> > on the Debian tracker, disabling entity resolution altogether is
> > probably going to make openpyxl fail on well-formed Excel documents
> > using standard entities such as &lt;.
> we do not see this issue being technically the same thing as
> CVE-2016-9318. openpyxl shouldn't need to resolve *external* XML
> entities, and the initial reporter of the Debian bug tested that the
> upstream patch doesn't break reglar entities like "&lt"; and
> "&gt;". What do you think ?

My mistake - thanks for bringing this up!

It appears that resolve_entities=False (ie. options &= ~XML_PARSE_NOENT)
does *not* affect the expansion of predefined entities or character
entities.  See [1], [2] and parser.c + HTMLparser.c in libxml source.


These flags *do* control the expansion of internal entities, but I
expect that most common protocols and file formats should not rely on
those - including Excel.  As long as openpyxl has no need to resolve
internal entities, nor perform DTD validation, CVE-2016-9318 is not
relevant and the proposed patch looks correct.

So yes, the original CVE request was valid and should go ahead:

> the Debian Security Team would like to request a CVE for an XML XEE
> discovered in Openpyxl by Marcin Ulikowski from F-Secure; Openpyxl
> resolves external entities by default:


Sorry about muddying the water with misunderstanding(s).  The tricky
part of CVE-2016-9318 seems to be particular requirements of components
like xmlsec that want internal entity resolution without XXE, or DTD
validation without exposing the whole filesystem.

Doran Moppert
Red Hat Product Security

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ