oss-sec mailing list archives

Re: Re: CVE request: XXE in Openpyxl

From: Doran Moppert <dmoppert () redhat com>
Date: Tue, 14 Feb 2017 11:55:00 +1030

On Feb 13 2017, Sébastien Delafond wrote:

On 2017-02-07, Doran Moppert <dmoppert () redhat com> wrote:

This is yet another instance of CVE-2016-9318.  As already observed
on the Debian tracker, disabling entity resolution altogether is
probably going to make openpyxl fail on well-formed Excel documents
using standard entities such as &lt;.


we do not see this issue being technically the same thing as
CVE-2016-9318. openpyxl shouldn't need to resolve *external* XML
entities, and the initial reporter of the Debian bug tested that the
upstream patch doesn't break reglar entities like "&lt"; and
"&gt;". What do you think ?


My mistake - thanks for bringing this up!

It appears that resolve_entities=False (ie. options &= ~XML_PARSE_NOENT)
does *not* affect the expansion of predefined entities or character
entities.  See [1], [2] and parser.c + HTMLparser.c in libxml source.

1: https://www.xml.com/pub/a/98/08/xmlqna1.html
2: https://en.wikipedia.org/wiki/List_of_XML_and_HTML_character_entity_references

These flags *do* control the expansion of internal entities, but I
expect that most common protocols and file formats should not rely on
those - including Excel.  As long as openpyxl has no need to resolve
internal entities, nor perform DTD validation, CVE-2016-9318 is not
relevant and the proposed patch looks correct.


So yes, the original CVE request was valid and should go ahead:

the Debian Security Team would like to request a CVE for an XML XEE
discovered in Openpyxl by Marcin Ulikowski from F-Secure; Openpyxl
resolves external entities by default:

  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854442
  https://bitbucket.org/openpyxl/openpyxl/commits/3b4905f428e1


Also: https://bitbucket.org/openpyxl/openpyxl/issues/749


Sorry about muddying the water with misunderstanding(s).  The tricky
part of CVE-2016-9318 seems to be particular requirements of components
like xmlsec that want internal entity resolution without XXE, or DTD
validation without exposing the whole filesystem.

-- 
Doran Moppert
Red Hat Product Security

Attachment: _bin
Description:

Current thread:

CVE request: XXE in Openpyxl Sébastien Delafond (Feb 07)
- Re: CVE request: XXE in Openpyxl Doran Moppert (Feb 07)
  - Re: CVE request: XXE in Openpyxl Sébastien Delafond (Feb 13)
    - Re: Re: CVE request: XXE in Openpyxl Doran Moppert (Feb 13)
    - Re: CVE request: XXE in Openpyxl Sébastien Delafond (Feb 14)
    - Re: CVE request: XXE in Openpyxl Sébastien Delafond (Feb 15)