oss-sec mailing list archives
Re: CVE request: XXE in Openpyxl
From: Sébastien Delafond <seb () debian org>
Date: Mon, 13 Feb 2017 10:30:10 +0000 (UTC)
On 2017-02-07, Doran Moppert <dmoppert () redhat com> wrote:
This is yet another instance of CVE-2016-9318. As already observed on the Debian tracker, disabling entity resolution altogether is probably going to make openpyxl fail on well-formed Excel documents using standard entities such as <.
Hi Doran, we do not see this issue being technically the same thing as CVE-2016-9318. openpyxl shouldn't need to resolve *external* XML entities, and the initial reporter of the Debian bug tested that the upstream patch doesn't break reglar entities like "<"; and ">". What do you think ? Cheers, --Seb
Current thread:
- CVE request: XXE in Openpyxl Sébastien Delafond (Feb 07)
- Re: CVE request: XXE in Openpyxl Doran Moppert (Feb 07)
- Re: CVE request: XXE in Openpyxl Sébastien Delafond (Feb 13)
- Re: Re: CVE request: XXE in Openpyxl Doran Moppert (Feb 13)
- Re: CVE request: XXE in Openpyxl Sébastien Delafond (Feb 14)
- Re: CVE request: XXE in Openpyxl Sébastien Delafond (Feb 15)
- Re: CVE request: XXE in Openpyxl Sébastien Delafond (Feb 13)
- Re: CVE request: XXE in Openpyxl Doran Moppert (Feb 07)