Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 13 Feb 2017 10:30:10 +0000 (UTC)
From: S├ębastien Delafond <seb@...ian.org>
To: oss-security@...ts.openwall.com
Subject: Re: CVE request: XXE in Openpyxl

On 2017-02-07, Doran Moppert <dmoppert@...hat.com> wrote:
> This is yet another instance of CVE-2016-9318.  As already observed
> on the Debian tracker, disabling entity resolution altogether is
> probably going to make openpyxl fail on well-formed Excel documents
> using standard entities such as &lt;.

Hi Doran,

we do not see this issue being technically the same thing as
CVE-2016-9318. openpyxl shouldn't need to resolve *external* XML
entities, and the initial reporter of the Debian bug tested that the
upstream patch doesn't break reglar entities like "&lt"; and
"&gt;". What do you think ?

Cheers,

--Seb

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.