oss-sec mailing list archives
Re: CVE request: XXE in Openpyxl
From: Doran Moppert <dmoppert () redhat com>
Date: Wed, 8 Feb 2017 10:27:46 +1030
On Feb 07 2017, Sébastien Delafond wrote:
the Debian Security Team would like to request a CVE for an XML XEE discovered in Openpyxl by Marcin Ulikowski from F-Secure; Openpyxl resolves external entities by default: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854442 https://bitbucket.org/openpyxl/openpyxl/commits/3b4905f428e1
This is yet another instance of CVE-2016-9318. As already observed on the Debian tracker, disabling entity resolution altogether is probably going to make openpyxl fail on well-formed Excel documents using standard entities such as <. -- Doran Moppert Red Hat Product Security
Attachment:
_bin
Description:
Current thread:
- CVE request: XXE in Openpyxl Sébastien Delafond (Feb 07)
- Re: CVE request: XXE in Openpyxl Doran Moppert (Feb 07)
- Re: CVE request: XXE in Openpyxl Sébastien Delafond (Feb 13)
- Re: Re: CVE request: XXE in Openpyxl Doran Moppert (Feb 13)
- Re: CVE request: XXE in Openpyxl Sébastien Delafond (Feb 14)
- Re: CVE request: XXE in Openpyxl Sébastien Delafond (Feb 15)
- Re: CVE request: XXE in Openpyxl Sébastien Delafond (Feb 13)
- Re: CVE request: XXE in Openpyxl Doran Moppert (Feb 07)