Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 14 Feb 2017 11:55:00 +1030
From: Doran Moppert <dmoppert@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: Re: CVE request: XXE in Openpyxl

On Feb 13 2017, Sébastien Delafond wrote:
> On 2017-02-07, Doran Moppert <dmoppert@...hat.com> wrote:
> > This is yet another instance of CVE-2016-9318.  As already observed
> > on the Debian tracker, disabling entity resolution altogether is
> > probably going to make openpyxl fail on well-formed Excel documents
> > using standard entities such as &lt;.
> 
> we do not see this issue being technically the same thing as
> CVE-2016-9318. openpyxl shouldn't need to resolve *external* XML
> entities, and the initial reporter of the Debian bug tested that the
> upstream patch doesn't break reglar entities like "&lt"; and
> "&gt;". What do you think ?

My mistake - thanks for bringing this up!

It appears that resolve_entities=False (ie. options &= ~XML_PARSE_NOENT)
does *not* affect the expansion of predefined entities or character
entities.  See [1], [2] and parser.c + HTMLparser.c in libxml source.

1: https://www.xml.com/pub/a/98/08/xmlqna1.html
2: https://en.wikipedia.org/wiki/List_of_XML_and_HTML_character_entity_references

These flags *do* control the expansion of internal entities, but I
expect that most common protocols and file formats should not rely on
those - including Excel.  As long as openpyxl has no need to resolve
internal entities, nor perform DTD validation, CVE-2016-9318 is not
relevant and the proposed patch looks correct.


So yes, the original CVE request was valid and should go ahead:

> the Debian Security Team would like to request a CVE for an XML XEE
> discovered in Openpyxl by Marcin Ulikowski from F-Secure; Openpyxl
> resolves external entities by default:
> 
>   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854442
>   https://bitbucket.org/openpyxl/openpyxl/commits/3b4905f428e1

Also: https://bitbucket.org/openpyxl/openpyxl/issues/749


Sorry about muddying the water with misunderstanding(s).  The tricky
part of CVE-2016-9318 seems to be particular requirements of components
like xmlsec that want internal entity resolution without XXE, or DTD
validation without exposing the whole filesystem.

-- 
Doran Moppert
Red Hat Product Security

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.