oss-sec mailing list archives
Re: Re: CVE request: python-pysaml2 XML external entity attack
From: Doran Moppert <dmoppert () redhat com>
Date: Wed, 11 Jan 2017 15:23:55 +1030
On Jan 10 2017, cve-assign () mitre org wrote:
python-pysaml2 does not sanitize SAML XML requests or responses: https://github.com/rohe/pysaml2/commit/6e09a25d9b4b7aa7a506853210a9a14100b8bc9bUse CVE-2016-10127 for the vulnerability addressed by "Fix XXE in XML parsing" in 6e09a25d9b4b7aa7a506853210a9a14100b8bc9b.
The scope of this CVE does not include the various other issues that may be found in the above references: - it does not include any aspect of https://bugzilla.gnome.org/show_bug.cgi?id=772726
This (libxml2 XXE) has already been assigned CVE-2016-9318. I have proposed a(n incomplete) patch on that ticket, but do not have sufficient familiarity with libxml2 to be sure it is sound (and thus worth completing with proper tests and docs). If it is, it's possible that downstream projects could apply a similar patch in client code while remaining compatible with current (unpatched) libxml2. Even if this gets into libxml2, client code will need to enable a new option explicitly to prevent XXE. There's an argument to make NOXXE default behaviour, but this could potentially impact a lot of projects that silently rely on some form of external entity resolution.
- it does not include any vulnerabilities in the XML Security Library (xmlsec), such as ones that are now, or previously were, listed at https://github.com/lsh123/xmlsec/issues
xmlsec is exposed to CVE-2016-9318, but considers this a bug in libxml2 and at present has no plans to provide a workaround. I expect a CVE assignment for xmlsec will only be needed if it is fixed/worked around in that project. -- Doran Moppert Red Hat Product Security
Attachment:
_bin
Description:
Current thread:
- CVE request: python-pysaml2 XML external entity attack Sébastien Delafond (Jan 10)
- Re: CVE request: python-pysaml2 XML external entity attack cve-assign (Jan 10)
- Re: Re: CVE request: python-pysaml2 XML external entity attack Doran Moppert (Jan 10)
- Re: Re: CVE request: python-pysaml2 XML external entity attack Doran Moppert (Jan 18)
- Re: CVE request: python-pysaml2 XML external entity attack cve-assign (Jan 19)
- Re: CVE request: python-pysaml2 XML external entity attack cve-assign (Jan 10)