oss-sec mailing list archives
Re: CVEs for libxml2 and expat internal and external XML entity expansion
From: Tim <tim-security () sentinelchicken org>
Date: Fri, 22 Feb 2013 10:24:12 -0800
> Please use CVE-2013-0338 for libxml2 internal entity expansion Hasn't libxml2 got countermeasures for that?
Yeah, I believe so. Last I looked, I came up with recommendations for folks to use xmlCtxtUseOptions with XML_PARSE_NOENT, XML_PARSE_NONET, and XML_PARSE_DTDLOAD set appropriately. However, it wasn't 100% clear to me at the time if these addressed all edge cases. In particular, I didn't care much about the DoS cases at the time, but hopefully if DTDs are ignored, then it wouldn't be an issue. I'd love to hear from an expert on this matter. For sure the documentation needs to be improved...
> Please use CVE-2013-0341 for expat external entities expansion I don't think expat resolves external entities at all. Therefore, the vulnerability resides entirely in the code which uses expat.
Last I checked, I came to the same conclusion. tim
Current thread:
- CVEs for libxml2 and expat internal and external XML entity expansion Kurt Seifried (Feb 21)
- <Possible follow-ups>
- CVEs for libxml2 and expat internal and external XML entity expansion Kurt Seifried (Feb 21)
- Re: CVEs for libxml2 and expat internal and external XML entity expansion Florian Weimer (Feb 22)
- Re: CVEs for libxml2 and expat internal and external XML entity expansion Jakub Wilk (Feb 22)
- Re: CVEs for libxml2 and expat internal and external XML entity expansion Kurt Seifried (Feb 22)
- Re: CVEs for libxml2 and expat internal and external XML entity expansion Tim (Feb 22)
- Re: CVEs for libxml2 and expat internal and external XML entity expansion Kurt Seifried (Feb 22)
- Re: CVEs for libxml2 and expat internal and external XML entity expansion Florian Weimer (Feb 22)