Re: CVE Request: libxml2 external parsed entities issue

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/05/2013 08:38 AM, Marcus Meissner wrote:
> On Fri, Jul 05, 2013 at 09:30:07AM -0400, Marc Deslauriers wrote:
> > On 13-07-05 09:17 AM, Marcus Meissner wrote:
> > > On Fri, Jul 05, 2013 at 08:48:04AM -0400, Marc Deslauriers
> > > wrote:
> > > > Hello,
> > > >
> > > > libxml2 earlier than 2.9.0 fetches external parsed entities
> > > > by default, with no way to disable the behaviour.
> > > >
> > > > Fixed by the following commit:
> > > >
> > > > https://git.gnome.org/browse/libxml2/commit/?id=4629ee02ac649c27f9c0cf98ba017c6b5526070f
More Information:
> > > > https://mail.gnome.org/archives/xml/2012-October/msg00045.html
https://github.com/sparklemotion/nokogiri/issues/693
> > > > https://bugs.launchpad.net/ubuntu/+source/libxml2/+bug/1194410
Could a CVE please be assigned to this issue?
> > > Sounds like http://seclists.org/oss-sec/2013/q1/391 and "Please
> > > use CVE-2013-0339 for libxml2 external entities expansion"
> > >
> > > ?
> >
> > Hrm, I would have thought CVE-2013-0339 was for the entities
> > expansion DoS issue fixed by this commit:
> >
> > https://git.gnome.org/browse/libxml2/commit/?id=23f05e0c33987d6605387b300c4be5da2120a7ab
The other one is for external entities expansion being enabled by
default with
> > no way to turn it off. You would lump them together?
>
> Mostly wondering, as it seemed more or less related. Perhaps
> someone else has more insight.
>
> Ciao, Marcus

So the emails covering this:

http://www.openwall.com/lists/oss-security/2013/04/12/6

CVE-2013-0338 - libxml2 internal entity expansion

CVE-2013-0339 - libxml2 external entities expansion

For CVE-2013-0340 and CVE-2013-0339, there are "workarounds" available
for application developers, although such workarounds may be very
expensive to develop, and this might place "too much" responsibility
to the developers - so, these assignments may still be OK.  It is
still worth discussion.

So same problem, just a new (better) fix is my take, Steve, does that
work for you as well?

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJR1xquAAoJEBYNRVNeJnmTfQwQAJGm8zXjmI5zOPtYsl6BX2T5
5KSQ7ZkfB7iEaaHEtiZPnocXlf0No7jpq6VtMqdoiTQ3mzCXiMvs7Cev6jg9EeA7
OnHu7Z7C/m5ZAwxdclwJ+83TjtSKcf/Yz1K6vRIAlTeh+cDWhqWGIW/48bX54KTh
Uj+8oW7ka101ZLaycA8y0UwPsiz9vzrHAonDSn09CcUI7AhxgsLTKOHIl0UgGIZi
WHNw5rQaxxXtEkyVh4Y0lsn1mqvJv8kSjaRUQ+dH9bv8ToIzGYbm6NLdJtcXl7FX
+IIxhhWpvJnYaTnqazzN0GFT55AmFf8x6Fu4FPrbW3Pc5S6UdRBVjjdm/Vs3TFr8
IBDoSp0nqGkIr2Wx9n8BfZeRb7sAUkGZm3l4enue7W9HwQghdzsTyZrL+9xtHO+B
0YGuo4r+DxFyGMnsyU7m1oXQoCvALp02KPBpr566dKpZ7MFxyim/h8dUxRCO+7R6
8pVI7icFb+lKfimQryqgclXmmDaFCmikbHwZ+v+J1CrB4yQ3I0JLo7pxi5mNtEvx
uqU9xvlGZpJiWjDnIRAe4JPgKTqu2AHOQXJv9ITXW1T7E9w9JrB+b14gwM965HT4
UkPH9OusLZFFp+PBK8CyZAzQ/yOCfoFxkW9DtvWif5CGHORLos01lLogZdITQ7Eq
Kf9QNiB0vbB51dKcpqPt
=xLit
-----END PGP SIGNATURE-----