Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <51284B3B.4060602@redhat.com>
Date: Fri, 22 Feb 2013 21:53:15 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Florian Weimer <fweimer@...hat.com>,
        Mitre CVE assign department <cve-assign@...re.org>
Subject: Re: CVEs for libxml2 and expat internal and external
 XML entity expansion

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/22/2013 07:25 AM, Florian Weimer wrote:
>> Please use CVE-2013-0338 for libxml2 internal entity expansion
> 
> Hasn't libxml2 got countermeasures for that?

Against exponential, but not quadratic/fast linear.

>> Please use CVE-2013-0341 for expat external entities expansion
> 
> I don't think expat resolves external entities at all.  Therefore,
> the vulnerability resides entirely in the code which uses expat.

Yes but I think it's common enough to warrant it (this is one of those
cases where things don't map super cleanly):

Handling External Entity References

Expat does not read or parse external entities directly. Note that
any external DTD is a special case of an external entity.  If you've
set no <code>ExternalEntityRefHandler</code>, then external entity
references are silently ignored. Otherwise, it calls your handler with
the information needed to read and parse the external entity.

Your handler isn't actually responsible for parsing the entity, but
it is responsible for creating a subsidiary parser with <code><a href=
"#XML_ExternalEntityParserCreate"
> XML_ExternalEntityParserCreate</a></code> that will do the job.
> This
returns an instance of <code>XML_Parser</code> that has handlers and
other data structures initialized from the parent parser. You may then
use <code><a href= "#XML_Parse" >XML_Parse</a></code> or <code><a
href= "#XML_ParseBuffer">XML_ParseBuffer</a></code> calls against this
parser.  Since external entities my refer to other external entities,
your handler should be prepared to be called recursively.

Parsing DTDs

In order to parse parameter entities, before starting the parse,
you must call <code><a href= "#XML_SetParamEntityParsing"
> XML_SetParamEntityParsing</a></code> with one of the following
arguments:

 *<code>XML_PARAM_ENTITY_PARSING_NEVER</code>
Don't parse parameter entities or the external subset

 *<code>XML_PARAM_ENTITY_PARSING_UNLESS_STANDALONE</code>
Parse parameter entites and the external subset unless
<code>standalone</code> was set to "yes" in the XML declaration.

 *<code>XML_PARAM_ENTITY_PARSING_ALWAYS</code>
Always parse parameter entities and the external subset

In order to read an external DTD, you also have to set an external
entity reference handler as described above.



- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRKEs7AAoJEBYNRVNeJnmT+hcQAMH0JsGT6V4D4Zd8gU7oWKR3
zYeu/JeowUCceH/F7HQl4dySUYPNO2TWboX8u/6CGN/8IcmwdtM9W4yZPQ2KyXTO
UKFnhztW4gD5DQ6q18uc9YKDMbGJPmRWAkaoAGGXU3m0fLRmRqZ9eMblQK22zeAH
RFOIqZMJ7G7slrs2cFOJ6Wb7ZQb3wKgItP0B46ueyGe1MU/LRLykXLJfKBXltWNz
3x4UzXWSCR/3bZcUJV43Nh7gUSBNJ2chOvIU+DUz625sSeanf3RQIgzJw3eQIgip
W/4h8xwyoP+w9zaJE6/J1iNhNjpiEmeVkoEcsHFjtSHQ87wp3niqE7QxNvpO1XAA
T61jUsZUNGCgqZlmA64gT7OFNAMClQ6w3g0EzQ5/lukpFA6uwItvTnnfyC2XzJC8
pkAANcL5fOQowxPTkdjRZdlY02F65HbpGGQO0OZXokw1XDKlz5EDavwVJfGi8kvt
VHfuqursFe4H7vnoWj+IX+ZYaydf9pwGRCxqTpI7B1JEC9syxwQce+B007dMlgcm
faswtrbgM5TO6snjBJLzZKA0nvHBRMasR3f+wCXq7JrgmgiOqrPxxizZm0HlM18s
olw4e+DOWpIN9wrvFNNlvkmc6fwMiEJfjp7W5N7SnI5TR+EbZGxQI/av1anjWR78
231jJXfRNAxMh8tj5I/X
=uJuT
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.