oss-security - Re: CVE Request: libxml2 external parsed entities issue

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]

Message-ID: <526FDA0B.5090004@redhat.com>
Date: Tue, 29 Oct 2013 09:53:47 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE Request: libxml2 external parsed entities
 issue

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/29/2013 01:53 AM, Nicolas Grégoire wrote:
> 
>> libxml has an API to disable external entity expansion.
> 
> Are you talking about using xmlSetExternalEntityLoader()?
> 
> It works, but changing the libxml default behavior to not being 
> vulnerable to XXE seems a good idea.
> 
> Cheers, Nicolas

This then breaks applications that need XXE to work, like docbook. We
can't disable every potential dangerous feature across the board, some
applications actually need these to work.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iQIcBAEBAgAGBQJSb9oLAAoJEBYNRVNeJnmTAPwP/1+tiPejcAQnzJPiJvuMZSEb
itNzuCCJn/IRBDUMcMXOV35004nKNnvS1vtShJOR1FFr+8BLHgXnk/t2Az69LTQp
zWPWJGa0wvBaAvTJmkgYYSytciCs/J9blDt6J3QU1azKPaGHoj+nUsOYLYWDen+e
myo2pFzLwUkGlmIGAm7FBj1cTzxXKq4oGnj1gsIj6SyxbSMLz/sToNd85VGEvnzw
2dTRoWKxYEDabGbAID6N4lPHK90I5g8lcz/DE/4/zN9SPygcK7dPm3huDshSmV+m
it2YalcvsrvoX4VYDs7RBGZhstpxdqY4IWShrXcyNU+ryC/Yh15FnTA0cMyNONkL
FyddxOqxnKFBg1kmmew4mKOHZRv4ka/liG7Lqp2Sl30gjvbooBjIhKCC57QeVWz5
+CNee5kyIrh0ydcXCWVRPnOrn4lrtj+42XDm9ucJvbmJCYO3PAD01m7TYM0le9YW
tFxsQx6p4ryJphcVIZQf5cs1bxEj8kNDvRPSsXC7xNuLUblgq9JZTVrBPm8V8E+8
snreCmrUBvcB65AsK/x5zPIAYV9oymOc+bZLjdPpuXsOjWHhO3a/U2QpJ/XW++DC
2LjgsY0JoMweQcHmQtL+Pcd8FSJfpxNiMP/QFVMd+JarNH6+j/SpKPqeg8YPYWG4
mEXq+2dEXGsOBsEt+dOh
=lAZF
-----END PGP SIGNATURE-----

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.