Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: CVEs for libxml2 and expat internal and external XML entity expansion
From: Kurt Seifried <kseifried () redhat com>
Date: Fri, 22 Feb 2013 21:53:15 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/22/2013 07:25 AM, Florian Weimer wrote:
Please use CVE-2013-0338 for libxml2 internal entity expansion

Hasn't libxml2 got countermeasures for that?

Against exponential, but not quadratic/fast linear.

Please use CVE-2013-0341 for expat external entities expansion

I don't think expat resolves external entities at all.  Therefore,
the vulnerability resides entirely in the code which uses expat.

Yes but I think it's common enough to warrant it (this is one of those
cases where things don't map super cleanly):

Handling External Entity References

Expat does not read or parse external entities directly. Note that
any external DTD is a special case of an external entity.  If you've
set no <code>ExternalEntityRefHandler</code>, then external entity
references are silently ignored. Otherwise, it calls your handler with
the information needed to read and parse the external entity.

Your handler isn't actually responsible for parsing the entity, but
it is responsible for creating a subsidiary parser with <code><a href=
"#XML_ExternalEntityParserCreate"
XML_ExternalEntityParserCreate</a></code> that will do the job.
This
returns an instance of <code>XML_Parser</code> that has handlers and
other data structures initialized from the parent parser. You may then
use <code><a href= "#XML_Parse" >XML_Parse</a></code> or <code><a
href= "#XML_ParseBuffer">XML_ParseBuffer</a></code> calls against this
parser.  Since external entities my refer to other external entities,
your handler should be prepared to be called recursively.

Parsing DTDs

In order to parse parameter entities, before starting the parse,
you must call <code><a href= "#XML_SetParamEntityParsing"
XML_SetParamEntityParsing</a></code> with one of the following
arguments:

 *<code>XML_PARAM_ENTITY_PARSING_NEVER</code>
Don't parse parameter entities or the external subset

 *<code>XML_PARAM_ENTITY_PARSING_UNLESS_STANDALONE</code>
Parse parameter entites and the external subset unless
<code>standalone</code> was set to "yes" in the XML declaration.

 *<code>XML_PARAM_ENTITY_PARSING_ALWAYS</code>
Always parse parameter entities and the external subset

In order to read an external DTD, you also have to set an external
entity reference handler as described above.



- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRKEs7AAoJEBYNRVNeJnmT+hcQAMH0JsGT6V4D4Zd8gU7oWKR3
zYeu/JeowUCceH/F7HQl4dySUYPNO2TWboX8u/6CGN/8IcmwdtM9W4yZPQ2KyXTO
UKFnhztW4gD5DQ6q18uc9YKDMbGJPmRWAkaoAGGXU3m0fLRmRqZ9eMblQK22zeAH
RFOIqZMJ7G7slrs2cFOJ6Wb7ZQb3wKgItP0B46ueyGe1MU/LRLykXLJfKBXltWNz
3x4UzXWSCR/3bZcUJV43Nh7gUSBNJ2chOvIU+DUz625sSeanf3RQIgzJw3eQIgip
W/4h8xwyoP+w9zaJE6/J1iNhNjpiEmeVkoEcsHFjtSHQ87wp3niqE7QxNvpO1XAA
T61jUsZUNGCgqZlmA64gT7OFNAMClQ6w3g0EzQ5/lukpFA6uwItvTnnfyC2XzJC8
pkAANcL5fOQowxPTkdjRZdlY02F65HbpGGQO0OZXokw1XDKlz5EDavwVJfGi8kvt
VHfuqursFe4H7vnoWj+IX+ZYaydf9pwGRCxqTpI7B1JEC9syxwQce+B007dMlgcm
faswtrbgM5TO6snjBJLzZKA0nvHBRMasR3f+wCXq7JrgmgiOqrPxxizZm0HlM18s
olw4e+DOWpIN9wrvFNNlvkmc6fwMiEJfjp7W5N7SnI5TR+EbZGxQI/av1anjWR78
231jJXfRNAxMh8tj5I/X
=uJuT
-----END PGP SIGNATURE-----


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]