oss-sec mailing list archives
Re: CVE Request: libxml2 external parsed entities issue
From: Kurt Seifried <kseifried () redhat com>
Date: Tue, 29 Oct 2013 09:53:47 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/29/2013 01:53 AM, Nicolas Grégoire wrote:
libxml has an API to disable external entity expansion.Are you talking about using xmlSetExternalEntityLoader()? It works, but changing the libxml default behavior to not being vulnerable to XXE seems a good idea. Cheers, Nicolas
This then breaks applications that need XXE to work, like docbook. We can't disable every potential dangerous feature across the board, some applications actually need these to work. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) iQIcBAEBAgAGBQJSb9oLAAoJEBYNRVNeJnmTAPwP/1+tiPejcAQnzJPiJvuMZSEb itNzuCCJn/IRBDUMcMXOV35004nKNnvS1vtShJOR1FFr+8BLHgXnk/t2Az69LTQp zWPWJGa0wvBaAvTJmkgYYSytciCs/J9blDt6J3QU1azKPaGHoj+nUsOYLYWDen+e myo2pFzLwUkGlmIGAm7FBj1cTzxXKq4oGnj1gsIj6SyxbSMLz/sToNd85VGEvnzw 2dTRoWKxYEDabGbAID6N4lPHK90I5g8lcz/DE/4/zN9SPygcK7dPm3huDshSmV+m it2YalcvsrvoX4VYDs7RBGZhstpxdqY4IWShrXcyNU+ryC/Yh15FnTA0cMyNONkL FyddxOqxnKFBg1kmmew4mKOHZRv4ka/liG7Lqp2Sl30gjvbooBjIhKCC57QeVWz5 +CNee5kyIrh0ydcXCWVRPnOrn4lrtj+42XDm9ucJvbmJCYO3PAD01m7TYM0le9YW tFxsQx6p4ryJphcVIZQf5cs1bxEj8kNDvRPSsXC7xNuLUblgq9JZTVrBPm8V8E+8 snreCmrUBvcB65AsK/x5zPIAYV9oymOc+bZLjdPpuXsOjWHhO3a/U2QpJ/XW++DC 2LjgsY0JoMweQcHmQtL+Pcd8FSJfpxNiMP/QFVMd+JarNH6+j/SpKPqeg8YPYWG4 mEXq+2dEXGsOBsEt+dOh =lAZF -----END PGP SIGNATURE-----
Current thread:
- Re: CVE Request: libxml2 external parsed entities issue Nicolas Grégoire (Oct 28)
- Re: CVE Request: libxml2 external parsed entities issue Huzaifa Sidhpurwala (Oct 28)
- Re: CVE Request: libxml2 external parsed entities issue Nicolas Grégoire (Oct 29)
- Re: CVE Request: libxml2 external parsed entities issue Kurt Seifried (Oct 29)
- Re: CVE Request: libxml2 external parsed entities issue Nicolas Grégoire (Oct 29)
- Re: CVE Request: libxml2 external parsed entities issue Huzaifa Sidhpurwala (Oct 28)