Date: Wed, 20 Feb 2013 13:30:52 -0700 From: Kurt Seifried <kseifried@...hat.com> To: Tim <tim-security@...tinelchicken.org> CC: oss-security@...ts.openwall.com Subject: Re: RE: Handling CVEs for the XML entity expansion issues -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/20/2013 01:06 PM, Tim wrote: > >> Docbook uses it quite a bit, e.g. each chapter is a file, then >> you use external entities to put them all together, also for >> graphics/etc. Breaking Docbook would make me a sad panda. > > Well sure, some minority of apps will break. Libraries release > notes merely need to say "next version breaks backward > compatibility for apps that use entities and inline DTDs. If your > app uses these, explicitly enable with ..." Once again, "off by > default", not removed. Yeah I'm pretty sure that's a less than ideal solution. Less ideal in the sense of "breaking a whole bunch of customer software without much warning, some of which is probably closed source and can't be modified so that it works with these new "improved" xml libraries" is not the way to go. So that's not gonna happen for most major Linux vendors (in other words we'll have to find better ways to fix this). Like Linus says, we can't just start breaking things. That's not how you fix things. >> I tend to agree, however for the billion laughs/linear attack >> that can be somewhat addressed, libxml for example addressed it >> by stopping all non linear expansion a few years ago, so while >> still vulnerable they are less vulnerable. > > Yes, but this is by far the least interesting attack scenario for > most XML libraries. Since libxml2 is pretty limited in it's > entities support and network capabilities to begin with, it isn't > as interesting of a case for XXE generally. However, other > libraries leverage many platform network capabilities that make for > some much more interesting attacks. > > tim > - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAEBAgAGBQJRJTJ8AAoJEBYNRVNeJnmToUkQAMiGDsOlh2iP/a7JfqADtoJD ZXKu2WZn7bl0B7pAL2oRwKN7rajgBCYpj7NGa3dPhT0q1HewR3m5Sz+ITSOCCSYt BMfk6IKh/Tq26rcxcjBDjS6tlXCW3qr0gej+5DhUZ7v51IPmP17PEVFOETCBG0V0 /uL7eC/yWOtEPy+ckY9F95AMqfOVqeHWteFek2BZCTZZBiXa+7pLelTWaggzP2JS n2J9fdQqXQfiOpajB63JSNj+E5tvLLIHwjniLyW5WuLoMvJ/bSiWm58VYJUzm5Nu YkV8++fsHV6Y2Am6pzKkkXg42v9PULrlmgbETUYqbvj4xzFnt+3w3GJuFY6I9Gqr HoobjtuXCa+NmAihJ//orJk5oi90pOOoU4eqLivHWqTM+4+wR6f6p/Hn4RroL1pq M75KrzAiXhphQ+yyrTeGYYFRWbNCjXm0yvmeU+X1+kFCgPKN32ecSlPbiW9jdDM0 p6UnCff/8mha54oFgaX356f+6cvXMjFki66pDWFFpuCEpZZ/7p0Z8geWP2OcmpdS TwcF3qNYwxtNm8PSg1cei7a053xYnkT3eoHpETVlDzv2oB8Edg41AOp74T2OkAqZ 4CybIbDQtVwG0GZHWAReM83YX4EaiLWTIwOkhb/ld8kyEElT6sIh/b4ILZAm4O+O PYSRsPw9DW2x//mgcb2k =Nl21 -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.