Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <5a73a86bba0443d0bf2ddfba52218ecb@imshyb01.MITRE.ORG>
Date: Thu, 19 Jan 2017 12:34:48 -0500
From: <cve-assign@...re.org>
To: <dmoppert@...hat.com>, <seb@...ian.org>
CC: <cve-assign@...re.org>, <oss-security@...ts.openwall.com>
Subject: Re: CVE request: python-pysaml2 XML external entity attack

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

>> Use CVE-2016-10127
> I think this CVE needs some clarification.

We agree. Here is a rewrite of our entire earlier message that made this
CVE ID assignment.

REPLACE ALL OF THIS EARLIER TEXT:

   > python-pysaml2 does
   > not sanitize SAML XML requests or responses:
   >
   >   https://github.com/rohe/pysaml2/issues/366
   >   https://github.com/rohe/pysaml2/pull/379
   >   https://bugs.debian.org/850716
   >   https://github.com/rohe/pysaml2/commit/6e09a25d9b4b7aa7a506853210a9a14100b8bc9b
   
   Use CVE-2016-10127 for the vulnerability addressed by "Fix XXE in XML
   parsing" in 6e09a25d9b4b7aa7a506853210a9a14100b8bc9b.
   
   The scope of this CVE does not include the various other issues that
   may be found in the above references:
   
    - it does not include any aspect of
      https://bugzilla.gnome.org/show_bug.cgi?id=772726
   
    - it does not include any vulnerabilities in the XML Security Library
      (xmlsec), such as ones that are now, or previously were, listed at
      https://github.com/lsh123/xmlsec/issues
   
    - it does not include any CWE-776 (Entity Expansion) issues that may
      have been fixed as a side effect of
      6e09a25d9b4b7aa7a506853210a9a14100b8bc9b (possibly there are new
      test cases in 6e09a25d9b4b7aa7a506853210a9a14100b8bc9b for CWE-776)

WITH THIS REWRITE:

   > python-pysaml2 does
   > not sanitize SAML XML requests or responses:
   >
   >   https://github.com/rohe/pysaml2/issues/366
   >   https://github.com/rohe/pysaml2/pull/379
   >   https://bugs.debian.org/850716
   >   https://github.com/rohe/pysaml2/commit/6e09a25d9b4b7aa7a506853210a9a14100b8bc9b
   
   Use CVE-2016-10127 for any XXE vulnerability that exists within the
   pysaml2 code (i.e., not in an underlying library). This vulnerability
   is described in the "Oct 6, 2016" portion of the
   https://github.com/rohe/pysaml2/issues/366 reference. There isn't yet
   a complete rationale for why the pysaml2 code itself should be
   considered responsible for XXE, or about what changes to the pysaml2
   code itself would resolve XXE. However, it is still potentially useful
   to track XXE at the pysaml2 level.
   
   The scope of this CVE does not include the various other issues that
   may be found in the above references:
   
    - it does not include any aspect of
      https://bugzilla.gnome.org/show_bug.cgi?id=772726 (CVE-2016-9318
      is applicable to that XXE discussion)
   
    - it does not include any vulnerabilities in the XML Security Library
      (xmlsec), such as ones that are now, or previously were, listed at
      https://github.com/lsh123/xmlsec/issues
   
    - it does not include any CWE-776 (Entity Expansion) issue fixed
      in 6e09a25d9b4b7aa7a506853210a9a14100b8bc9b. The ID for this
      CWE-776 problem in pysaml2 is CVE-2016-10149.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJYgPg3AAoJEHb/MwWLVhi2P5kP/i5lCVmVMrE8LyRe7thLApfH
i+T4cuyt3ydZOXJCWgirp5/jEKXhjA5FLMZNpo1J1iinkIW9gJeP3XgJcmaVRr1K
iY/lKkf98Pcd5G1xNKurb+CqlE/wPYLT58pLxaolSVHj9oFPuhFfC/3ECMv8FKdV
ealV3n7pQ/0CJCORqL/mVA30jGJblCVRWv9uNFAEXRSAvGnAzJbu3sCsc2zmWmtp
aeJsgr7giNgNQX/nufUysm1t8xSH/1LQlwbRrEisn8pIgek4pjRa1jJyXs0WPb//
tbrzL7maBVQJPIxLGID4dHMY3d33rkaeAHyfFc/nddzAP1REbamxOTDHnZdqWwAl
uHSNhMpM+WSfiOl2khP0YID6mPNywbFXjHyGas70E2Cob9biwc4qdl94qz4x5VeI
O1Iae59q829zwOZlo1PtYqX8d7X3DSuB4opXaZR3CT58pIg68Q7HfgFhppEEUPF3
c+vdGNOIP6bTrqXraibMGya5IAYTZqmqg6Bjc+Kul+DGNFbnDD41OfcTin6PWFSt
o1a3xVy6qJ0lQMC2QUvPXWNO4Q2SpnAQdTJv3A8rV6fg4bJ4d4vAeYmIO4xyyym0
mszWpmX1CcpHd+HyN4bQsG7VpqX3k5M3DZWP0nDnKFPlhDxjTt69PfhCTP8MXdFi
p3Dt50ewDtHBNqBWConl
=jh5c
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.