oss-sec mailing list archives
Re: Re: CVE request: python-pysaml2 XML external entity attack
From: Doran Moppert <dmoppert () redhat com>
Date: Thu, 19 Jan 2017 18:04:45 +1030
I think this CVE needs some clarification. On Jan 10 2017, cve-assign () mitre org wrote:
python-pysaml2 does not sanitize SAML XML requests or responses: https://github.com/rohe/pysaml2/issues/366 https://github.com/rohe/pysaml2/pull/379 https://bugs.debian.org/850716 https://github.com/rohe/pysaml2/commit/6e09a25d9b4b7aa7a506853210a9a14100b8bc9b
issues/376 identifies an XML External Entity flaw (CWE-611), but the "related commit" 6e09a25d and pull request 379 addresses only Billion Laughs vulnerabilities (CWE-776). While the patch's commit message seems to be incorrect in mentioning XXE, it does not claim to fix issues/379, which is (correctly) still open. Thus the below description of CVE-2016-10127 is inconsistent - the vulnerability addressed by 6e09a25 is CWE-776, which is excluded from the CVE's coverage by the third list item.
Use CVE-2016-10127 for the vulnerability addressed by "Fix XXE in XML parsing" in 6e09a25d9b4b7aa7a506853210a9a14100b8bc9b. The scope of this CVE does not include the various other issues that may be found in the above references: - it does not include any aspect of https://bugzilla.gnome.org/show_bug.cgi?id=772726 - it does not include any vulnerabilities in the XML Security Library (xmlsec), such as ones that are now, or previously were, listed at https://github.com/lsh123/xmlsec/issues - it does not include any CWE-776 (Entity Expansion) issues that may have been fixed as a side effect of 6e09a25d9b4b7aa7a506853210a9a14100b8bc9b (possibly there are new test cases in 6e09a25d9b4b7aa7a506853210a9a14100b8bc9b for CWE-776)
This can be seen also by noticing that the patch substitues "defusedxml.ElementTree" for "xml.etree.ElementTree" (and its native code equivalent cElementTree), and consulting the table and note #1 at: https://docs.python.org/2/library/xml.html#xml-vulnerabilities which points out that "etree" is vulnerable to CWE-776 but not to CWE-611. The CWE-611 vulnerability in libxml2 (CVE-2016-9318) is still exposed in pysaml2, via its use of lxml and xmlsec. The exposure via lxml may be mitigable by disabling entity resolution altogether (resolve_entities=False), but xmlsec seems to lack any such switch. -- Doran Moppert Red Hat Product Security
Attachment:
_bin
Description:
Current thread:
- CVE request: python-pysaml2 XML external entity attack Sébastien Delafond (Jan 10)
- Re: CVE request: python-pysaml2 XML external entity attack cve-assign (Jan 10)
- Re: Re: CVE request: python-pysaml2 XML external entity attack Doran Moppert (Jan 10)
- Re: Re: CVE request: python-pysaml2 XML external entity attack Doran Moppert (Jan 18)
- Re: CVE request: python-pysaml2 XML external entity attack cve-assign (Jan 19)
- Re: CVE request: python-pysaml2 XML external entity attack cve-assign (Jan 10)