Re: RE: Handling CVEs for the XML entity expansion issues

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/20/2013 01:06 PM, Tim wrote:
> > Docbook uses it quite a bit, e.g. each chapter is a file, then
> > you use external entities to put them all together, also for
> > graphics/etc. Breaking Docbook would make me a sad panda.
>
> Well sure, some minority of apps will break.  Libraries release
> notes merely need to say "next version breaks backward
> compatibility for apps that use entities and inline DTDs.  If your
> app uses these, explicitly enable with ..."  Once again, "off by
> default", not removed.

Yeah I'm pretty sure that's a less than ideal solution. Less ideal in
the sense of "breaking a whole bunch of customer software without much
warning, some of which is probably closed source and can't be modified
so that it works with these new "improved" xml libraries" is not the
way to go. So that's not gonna happen for most major Linux vendors (in
other words we'll have to find better ways to fix this).

Like Linus says, we can't just start breaking things. That's not how
you fix things.

> > I tend to agree, however for the billion laughs/linear attack
> > that can be somewhat addressed, libxml for example addressed it
> > by stopping all non linear expansion a few years ago, so while
> > still vulnerable they are less vulnerable.
>
> Yes, but this is by far the least interesting attack scenario for
> most XML libraries.  Since libxml2 is pretty limited in it's
> entities support and network capabilities to begin with, it isn't
> as interesting of a case for XXE generally.  However, other
> libraries leverage many platform network capabilities that make for
> some much more interesting attacks.
>
> tim


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRJTJ8AAoJEBYNRVNeJnmToUkQAMiGDsOlh2iP/a7JfqADtoJD
ZXKu2WZn7bl0B7pAL2oRwKN7rajgBCYpj7NGa3dPhT0q1HewR3m5Sz+ITSOCCSYt
BMfk6IKh/Tq26rcxcjBDjS6tlXCW3qr0gej+5DhUZ7v51IPmP17PEVFOETCBG0V0
/uL7eC/yWOtEPy+ckY9F95AMqfOVqeHWteFek2BZCTZZBiXa+7pLelTWaggzP2JS
n2J9fdQqXQfiOpajB63JSNj+E5tvLLIHwjniLyW5WuLoMvJ/bSiWm58VYJUzm5Nu
YkV8++fsHV6Y2Am6pzKkkXg42v9PULrlmgbETUYqbvj4xzFnt+3w3GJuFY6I9Gqr
HoobjtuXCa+NmAihJ//orJk5oi90pOOoU4eqLivHWqTM+4+wR6f6p/Hn4RroL1pq
M75KrzAiXhphQ+yyrTeGYYFRWbNCjXm0yvmeU+X1+kFCgPKN32ecSlPbiW9jdDM0
p6UnCff/8mha54oFgaX356f+6cvXMjFki66pDWFFpuCEpZZ/7p0Z8geWP2OcmpdS
TwcF3qNYwxtNm8PSg1cei7a053xYnkT3eoHpETVlDzv2oB8Edg41AOp74T2OkAqZ
4CybIbDQtVwG0GZHWAReM83YX4EaiLWTIwOkhb/ld8kyEElT6sIh/b4ILZAm4O+O
PYSRsPw9DW2x//mgcb2k
=Nl21
-----END PGP SIGNATURE-----