Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 14 Feb 2017 09:29:48 +0000 (UTC)
From: S├ębastien Delafond <seb@...ian.org>
To: oss-security@...ts.openwall.com
Subject: Re: CVE request: XXE in Openpyxl

On 2017-02-14, Doran Moppert <dmoppert@...hat.com> wrote:
> My mistake - thanks for bringing this up!
>
> It appears that resolve_entities=False (ie. options &=
> ~XML_PARSE_NOENT) does *not* affect the expansion of predefined
> entities or character entities.  See [1], [2] and parser.c +
> HTMLparser.c in libxml source.
>
> 1: https://www.xml.com/pub/a/98/08/xmlqna1.html
> 2: https://en.wikipedia.org/wiki/List_of_XML_and_HTML_character_entity_references
>
> These flags *do* control the expansion of internal entities, but I
> expect that most common protocols and file formats should not rely on
> those - including Excel.  As long as openpyxl has no need to resolve
> internal entities, nor perform DTD validation, CVE-2016-9318 is not
> relevant and the proposed patch looks correct.
>
>
> So yes, the original CVE request was valid and should go ahead:

@MITRE, can you assign one directly, since this request pre-dates the
requirement of going through the web form, or should I resubmit there
anyway ?

>> the Debian Security Team would like to request a CVE for an XML XEE
>> discovered in Openpyxl by Marcin Ulikowski from F-Secure; Openpyxl
>> resolves external entities by default:
>> 
>>   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854442
>>   https://bitbucket.org/openpyxl/openpyxl/commits/3b4905f428e1
>
> Also: https://bitbucket.org/openpyxl/openpyxl/issues/749

> Sorry about muddying the water with misunderstanding(s).  The tricky
> part of CVE-2016-9318 seems to be particular requirements of
> components like xmlsec that want internal entity resolution without
> XXE, or DTD validation without exposing the whole filesystem.

No problem at all, the overall implications of CVE-2016-9318 and entity
resolution are indeed pretty complex.

Cheers,

--Seb

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ