Date: Tue, 14 Feb 2017 09:29:48 +0000 (UTC) From: Sébastien Delafond <seb@...ian.org> To: oss-security@...ts.openwall.com Subject: Re: CVE request: XXE in Openpyxl On 2017-02-14, Doran Moppert <dmoppert@...hat.com> wrote: > My mistake - thanks for bringing this up! > > It appears that resolve_entities=False (ie. options &= > ~XML_PARSE_NOENT) does *not* affect the expansion of predefined > entities or character entities. See ,  and parser.c + > HTMLparser.c in libxml source. > > 1: https://www.xml.com/pub/a/98/08/xmlqna1.html > 2: https://en.wikipedia.org/wiki/List_of_XML_and_HTML_character_entity_references > > These flags *do* control the expansion of internal entities, but I > expect that most common protocols and file formats should not rely on > those - including Excel. As long as openpyxl has no need to resolve > internal entities, nor perform DTD validation, CVE-2016-9318 is not > relevant and the proposed patch looks correct. > > > So yes, the original CVE request was valid and should go ahead: @MITRE, can you assign one directly, since this request pre-dates the requirement of going through the web form, or should I resubmit there anyway ? >> the Debian Security Team would like to request a CVE for an XML XEE >> discovered in Openpyxl by Marcin Ulikowski from F-Secure; Openpyxl >> resolves external entities by default: >> >> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854442 >> https://bitbucket.org/openpyxl/openpyxl/commits/3b4905f428e1 > > Also: https://bitbucket.org/openpyxl/openpyxl/issues/749 > Sorry about muddying the water with misunderstanding(s). The tricky > part of CVE-2016-9318 seems to be particular requirements of > components like xmlsec that want internal entity resolution without > XXE, or DTD validation without exposing the whole filesystem. No problem at all, the overall implications of CVE-2016-9318 and entity resolution are indeed pretty complex. Cheers, --Seb
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ