oss-sec mailing list archives

Re: CVE request: XXE in Openpyxl

From: Sébastien Delafond <seb () debian org>
Date: Mon, 13 Feb 2017 10:30:10 +0000 (UTC)

On 2017-02-07, Doran Moppert <dmoppert () redhat com> wrote:

This is yet another instance of CVE-2016-9318.  As already observed
on the Debian tracker, disabling entity resolution altogether is
probably going to make openpyxl fail on well-formed Excel documents
using standard entities such as &lt;.


Hi Doran,

we do not see this issue being technically the same thing as
CVE-2016-9318. openpyxl shouldn't need to resolve *external* XML
entities, and the initial reporter of the Debian bug tested that the
upstream patch doesn't break reglar entities like "&lt"; and
"&gt;". What do you think ?

Cheers,

--Seb

Current thread:

CVE request: XXE in Openpyxl Sébastien Delafond (Feb 07)
- Re: CVE request: XXE in Openpyxl Doran Moppert (Feb 07)
  - Re: CVE request: XXE in Openpyxl Sébastien Delafond (Feb 13)
    - Re: Re: CVE request: XXE in Openpyxl Doran Moppert (Feb 13)
    - Re: CVE request: XXE in Openpyxl Sébastien Delafond (Feb 14)
    - Re: CVE request: XXE in Openpyxl Sébastien Delafond (Feb 15)