oss-sec mailing list archives

Re: CVE Request: libxml2 external parsed entities issue

From: Kurt Seifried <kseifried () redhat com>
Date: Tue, 29 Oct 2013 09:53:47 -0600

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/29/2013 01:53 AM, Nicolas Grégoire wrote:

libxml has an API to disable external entity expansion.


Are you talking about using xmlSetExternalEntityLoader()?

It works, but changing the libxml default behavior to not being 
vulnerable to XXE seems a good idea.

Cheers, Nicolas


This then breaks applications that need XXE to work, like docbook. We
can't disable every potential dangerous feature across the board, some
applications actually need these to work.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iQIcBAEBAgAGBQJSb9oLAAoJEBYNRVNeJnmTAPwP/1+tiPejcAQnzJPiJvuMZSEb
itNzuCCJn/IRBDUMcMXOV35004nKNnvS1vtShJOR1FFr+8BLHgXnk/t2Az69LTQp
zWPWJGa0wvBaAvTJmkgYYSytciCs/J9blDt6J3QU1azKPaGHoj+nUsOYLYWDen+e
myo2pFzLwUkGlmIGAm7FBj1cTzxXKq4oGnj1gsIj6SyxbSMLz/sToNd85VGEvnzw
2dTRoWKxYEDabGbAID6N4lPHK90I5g8lcz/DE/4/zN9SPygcK7dPm3huDshSmV+m
it2YalcvsrvoX4VYDs7RBGZhstpxdqY4IWShrXcyNU+ryC/Yh15FnTA0cMyNONkL
FyddxOqxnKFBg1kmmew4mKOHZRv4ka/liG7Lqp2Sl30gjvbooBjIhKCC57QeVWz5
+CNee5kyIrh0ydcXCWVRPnOrn4lrtj+42XDm9ucJvbmJCYO3PAD01m7TYM0le9YW
tFxsQx6p4ryJphcVIZQf5cs1bxEj8kNDvRPSsXC7xNuLUblgq9JZTVrBPm8V8E+8
snreCmrUBvcB65AsK/x5zPIAYV9oymOc+bZLjdPpuXsOjWHhO3a/U2QpJ/XW++DC
2LjgsY0JoMweQcHmQtL+Pcd8FSJfpxNiMP/QFVMd+JarNH6+j/SpKPqeg8YPYWG4
mEXq+2dEXGsOBsEt+dOh
=lAZF
-----END PGP SIGNATURE-----

Current thread:

Re: CVE Request: libxml2 external parsed entities issue Nicolas Grégoire (Oct 28)
- Re: CVE Request: libxml2 external parsed entities issue Huzaifa Sidhpurwala (Oct 28)
  - Re: CVE Request: libxml2 external parsed entities issue Nicolas Grégoire (Oct 29)
    - Re: CVE Request: libxml2 external parsed entities issue Kurt Seifried (Oct 29)