Date: Thu, 19 Jan 2017 18:04:45 +1030 From: Doran Moppert <dmoppert@...hat.com> To: oss-security@...ts.openwall.com Cc: seb@...ian.org, cve-assign@...re.org Subject: Re: Re: CVE request: python-pysaml2 XML external entity attack I think this CVE needs some clarification. On Jan 10 2017, cve-assign@...re.org wrote: > > python-pysaml2 does > > not sanitize SAML XML requests or responses: > > > > https://github.com/rohe/pysaml2/issues/366 > > https://github.com/rohe/pysaml2/pull/379 > > https://bugs.debian.org/850716 > > https://github.com/rohe/pysaml2/commit/6e09a25d9b4b7aa7a506853210a9a14100b8bc9b issues/376 identifies an XML External Entity flaw (CWE-611), but the "related commit" 6e09a25d and pull request 379 addresses only Billion Laughs vulnerabilities (CWE-776). While the patch's commit message seems to be incorrect in mentioning XXE, it does not claim to fix issues/379, which is (correctly) still open. Thus the below description of CVE-2016-10127 is inconsistent - the vulnerability addressed by 6e09a25 is CWE-776, which is excluded from the CVE's coverage by the third list item. > Use CVE-2016-10127 for the vulnerability addressed by "Fix XXE in XML > parsing" in 6e09a25d9b4b7aa7a506853210a9a14100b8bc9b. > > The scope of this CVE does not include the various other issues that > may be found in the above references: > > - it does not include any aspect of > https://bugzilla.gnome.org/show_bug.cgi?id=772726 > > - it does not include any vulnerabilities in the XML Security Library > (xmlsec), such as ones that are now, or previously were, listed at > https://github.com/lsh123/xmlsec/issues > > - it does not include any CWE-776 (Entity Expansion) issues that may > have been fixed as a side effect of > 6e09a25d9b4b7aa7a506853210a9a14100b8bc9b (possibly there are new > test cases in 6e09a25d9b4b7aa7a506853210a9a14100b8bc9b for CWE-776) This can be seen also by noticing that the patch substitues "defusedxml.ElementTree" for "xml.etree.ElementTree" (and its native code equivalent cElementTree), and consulting the table and note #1 at: https://docs.python.org/2/library/xml.html#xml-vulnerabilities which points out that "etree" is vulnerable to CWE-776 but not to CWE-611. The CWE-611 vulnerability in libxml2 (CVE-2016-9318) is still exposed in pysaml2, via its use of lxml and xmlsec. The exposure via lxml may be mitigable by disabling entity resolution altogether (resolve_entities=False), but xmlsec seems to lack any such switch. -- Doran Moppert Red Hat Product Security Content of type "application/pgp-signature" skipped
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.