oss-sec mailing list archives
Re: Re: CVE request: XXE in Openpyxl
From: Doran Moppert <dmoppert () redhat com>
Date: Tue, 14 Feb 2017 11:55:00 +1030
On Feb 13 2017, Sébastien Delafond wrote:
On 2017-02-07, Doran Moppert <dmoppert () redhat com> wrote:This is yet another instance of CVE-2016-9318. As already observed on the Debian tracker, disabling entity resolution altogether is probably going to make openpyxl fail on well-formed Excel documents using standard entities such as <.we do not see this issue being technically the same thing as CVE-2016-9318. openpyxl shouldn't need to resolve *external* XML entities, and the initial reporter of the Debian bug tested that the upstream patch doesn't break reglar entities like "<"; and ">". What do you think ?
My mistake - thanks for bringing this up! It appears that resolve_entities=False (ie. options &= ~XML_PARSE_NOENT) does *not* affect the expansion of predefined entities or character entities. See [1], [2] and parser.c + HTMLparser.c in libxml source. 1: https://www.xml.com/pub/a/98/08/xmlqna1.html 2: https://en.wikipedia.org/wiki/List_of_XML_and_HTML_character_entity_references These flags *do* control the expansion of internal entities, but I expect that most common protocols and file formats should not rely on those - including Excel. As long as openpyxl has no need to resolve internal entities, nor perform DTD validation, CVE-2016-9318 is not relevant and the proposed patch looks correct. So yes, the original CVE request was valid and should go ahead:
the Debian Security Team would like to request a CVE for an XML XEE discovered in Openpyxl by Marcin Ulikowski from F-Secure; Openpyxl resolves external entities by default: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854442 https://bitbucket.org/openpyxl/openpyxl/commits/3b4905f428e1
Also: https://bitbucket.org/openpyxl/openpyxl/issues/749 Sorry about muddying the water with misunderstanding(s). The tricky part of CVE-2016-9318 seems to be particular requirements of components like xmlsec that want internal entity resolution without XXE, or DTD validation without exposing the whole filesystem. -- Doran Moppert Red Hat Product Security
Attachment:
_bin
Description:
Current thread:
- CVE request: XXE in Openpyxl Sébastien Delafond (Feb 07)
- Re: CVE request: XXE in Openpyxl Doran Moppert (Feb 07)
- Re: CVE request: XXE in Openpyxl Sébastien Delafond (Feb 13)
- Re: Re: CVE request: XXE in Openpyxl Doran Moppert (Feb 13)
- Re: CVE request: XXE in Openpyxl Sébastien Delafond (Feb 14)
- Re: CVE request: XXE in Openpyxl Sébastien Delafond (Feb 15)
- Re: CVE request: XXE in Openpyxl Sébastien Delafond (Feb 13)
- Re: CVE request: XXE in Openpyxl Doran Moppert (Feb 07)