Date: Tue, 14 Feb 2017 11:55:00 +1030 From: Doran Moppert <dmoppert@...hat.com> To: oss-security@...ts.openwall.com Subject: Re: Re: CVE request: XXE in Openpyxl On Feb 13 2017, Sébastien Delafond wrote: > On 2017-02-07, Doran Moppert <dmoppert@...hat.com> wrote: > > This is yet another instance of CVE-2016-9318. As already observed > > on the Debian tracker, disabling entity resolution altogether is > > probably going to make openpyxl fail on well-formed Excel documents > > using standard entities such as <. > > we do not see this issue being technically the same thing as > CVE-2016-9318. openpyxl shouldn't need to resolve *external* XML > entities, and the initial reporter of the Debian bug tested that the > upstream patch doesn't break reglar entities like "<"; and > ">". What do you think ? My mistake - thanks for bringing this up! It appears that resolve_entities=False (ie. options &= ~XML_PARSE_NOENT) does *not* affect the expansion of predefined entities or character entities. See ,  and parser.c + HTMLparser.c in libxml source. 1: https://www.xml.com/pub/a/98/08/xmlqna1.html 2: https://en.wikipedia.org/wiki/List_of_XML_and_HTML_character_entity_references These flags *do* control the expansion of internal entities, but I expect that most common protocols and file formats should not rely on those - including Excel. As long as openpyxl has no need to resolve internal entities, nor perform DTD validation, CVE-2016-9318 is not relevant and the proposed patch looks correct. So yes, the original CVE request was valid and should go ahead: > the Debian Security Team would like to request a CVE for an XML XEE > discovered in Openpyxl by Marcin Ulikowski from F-Secure; Openpyxl > resolves external entities by default: > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854442 > https://bitbucket.org/openpyxl/openpyxl/commits/3b4905f428e1 Also: https://bitbucket.org/openpyxl/openpyxl/issues/749 Sorry about muddying the water with misunderstanding(s). The tricky part of CVE-2016-9318 seems to be particular requirements of components like xmlsec that want internal entity resolution without XXE, or DTD validation without exposing the whole filesystem. -- Doran Moppert Red Hat Product Security Content of type "application/pgp-signature" skipped
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.