Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 21 Feb 2013 22:44:40 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>,
        Mitre CVE assign department <cve-assign@...re.org>
Subject: CVEs for libxml2 and expat internal and external XML entity expansion

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

So here are the CVE's for the two big ones, libxml2 and expat. Both
are affected by the expansion of internal entities (which can be used
to consume resources) and external entities (which can cause a denial
of service against other services, be used to port scan, etc.).

To be clear:

====================
Internal entity expansion refers to the exponential/quadratic/fast
linear expansion of XML entities, e.g.:
====================
<!DOCTYPE xmlbomb [
<!ENTITY a "1234567890" >
<!ENTITY b "&a;&a;&a;&a;&a;&a;&a;&a;">
<!ENTITY c "&b;&b;&b;&b;&b;&b;&b;&b;">
<!ENTITY d "&c;&c;&c;&c;&c;&c;&c;&c;">
]>
<bomb>&d;</bomb>

or

<!DOCTYPE bomb [
<!ENTITY a "xxxxxxx... a couple of ten thousand chars">
]>
<bomb>&a;&a;&a;... repeat</bomb>

Which causes resources to be consumed



====================
External entity expansion refers to the loading of external resources
such as XML entities from another server or a local file:
====================
<!DOCTYPE external [
<!ENTITY ee SYSTEM "http://www.example.org/some.xml">
]>
<root>&ee;</root>


<!DOCTYPE external [
<!ENTITY ee SYSTEM "file:///PATH/TO/simple.xml">
]>
<root>&ee;</root>

Which can cause resources to be consumed or can result in port
scanning /application scanning information being sent to the attacker.


So the CVE's to use:

Please use CVE-2013-0338 for libxml2 internal entity expansion

Please use CVE-2013-0339 for libxml2 external entities expansion

Please use CVE-2013-0340 for expat internal entity expansion

Please use CVE-2013-0341 for expat external entities expansion


If you know of other XML libraries that are vulnerable (and open
source =) please let oss-sec know so we can assign CVEs.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRJwXIAAoJEBYNRVNeJnmTYUMP/3gJtHt6GFt+J6fG03TIQMOA
3NE7YfmU34/ZPxgFDHDiU7dOJc8uX6VMSQO0fyoFVW40iP/1PTxMow30E1qYBnDL
nXl9Kxl1q/8uqWEpm0CN569a9aU3svCxtcC28m1ziTZ/DwNq/d+fbw/m76Mua9gd
ZpL6hUeMcij47imYOtOgbMiYSt0F+JWTnHoBOwtIdZxkwWEzTIHC6eTNbKAe9Quo
km8fLdpXA14WIWGeqS/K7qI4ie4JOSoJvHCp9YSF3gIVPxHXNqf6Yu1EAJbRRns9
kLG8QH1agRxzV+ZmLobZmtY9D1zB+IjXGGQEd2U5gStYZNIAUxKnXPTKEsJJ4gyd
iw7qp+ubNcO2X5leILNpGAJNtrDbRBcyrtLInM397Pl2xq3IGqX0/H74t+9paUPl
xQexOko7btBmH0oFHJZNLwDjl97HevfLWab/izLCjANpuGwzPtP3h0GGfmQQ22nP
dN9Cc0keFYbd+k9piihQqlHo25ZRW7Haqi5I1c2YK7lpvw8EcjsAc4Ggwk3waM+D
S4oxQGHF5i4RvVvTRIJ5ShoHJMs8jS02XlUR+LoCsr3oP/UMkt/lzAkhnm/T0aLr
WQ69a1is2p+yoQv9ASHA512ggxq/Zp1yNE/P97nK4nM01dx6vddr++Yxrq3cMVFZ
42S90AvngWmywpPfKOQI
=3XLg
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ