oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE request: XXE in Openpyxl

From: Doran Moppert <dmoppert () redhat com>
Date: Wed, 8 Feb 2017 10:27:46 +1030
On Feb 07 2017, Sébastien Delafond wrote:

the Debian Security Team would like to request a CVE for an XML XEE
discovered in Openpyxl by Marcin Ulikowski from F-Secure; Openpyxl
resolves external entities by default:

  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854442
  https://bitbucket.org/openpyxl/openpyxl/commits/3b4905f428e1


This is yet another instance of CVE-2016-9318.  As already observed on
the Debian tracker, disabling entity resolution altogether is probably
going to make openpyxl fail on well-formed Excel documents using
standard entities such as &lt;.

-- 
Doran Moppert
Red Hat Product Security

Attachment: _bin
Description:

Previous By Date Next
Previous By Thread Next

Current thread: