Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 14 Feb 2017 09:29:48 +0000 (UTC)
From: S├ębastien Delafond <>
Subject: Re: CVE request: XXE in Openpyxl

On 2017-02-14, Doran Moppert <> wrote:
> My mistake - thanks for bringing this up!
> It appears that resolve_entities=False (ie. options &=
> ~XML_PARSE_NOENT) does *not* affect the expansion of predefined
> entities or character entities.  See [1], [2] and parser.c +
> HTMLparser.c in libxml source.
> 1:
> 2:
> These flags *do* control the expansion of internal entities, but I
> expect that most common protocols and file formats should not rely on
> those - including Excel.  As long as openpyxl has no need to resolve
> internal entities, nor perform DTD validation, CVE-2016-9318 is not
> relevant and the proposed patch looks correct.
> So yes, the original CVE request was valid and should go ahead:

@MITRE, can you assign one directly, since this request pre-dates the
requirement of going through the web form, or should I resubmit there
anyway ?

>> the Debian Security Team would like to request a CVE for an XML XEE
>> discovered in Openpyxl by Marcin Ulikowski from F-Secure; Openpyxl
>> resolves external entities by default:
> Also:

> Sorry about muddying the water with misunderstanding(s).  The tricky
> part of CVE-2016-9318 seems to be particular requirements of
> components like xmlsec that want internal entity resolution without
> XXE, or DTD validation without exposing the whole filesystem.

No problem at all, the overall implications of CVE-2016-9318 and entity
resolution are indeed pretty complex.



Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ