Re: CVE request: XXE in Openpyxl

[Sébastien Delafond <seb () debian org>]

On 2017-02-14, Doran Moppert <dmoppert () redhat com> wrote:
> My mistake - thanks for bringing this up!
>
> It appears that resolve_entities=False (ie. options &=
> ~XML_PARSE_NOENT) does *not* affect the expansion of predefined
> entities or character entities.  See [1], [2] and parser.c +
> HTMLparser.c in libxml source.
>
> 1: https://www.xml.com/pub/a/98/08/xmlqna1.html
> 2: https://en.wikipedia.org/wiki/List_of_XML_and_HTML_character_entity_references
>
> These flags *do* control the expansion of internal entities, but I
> expect that most common protocols and file formats should not rely on
> those - including Excel.  As long as openpyxl has no need to resolve
> internal entities, nor perform DTD validation, CVE-2016-9318 is not
> relevant and the proposed patch looks correct.
>
>
> So yes, the original CVE request was valid and should go ahead:

@MITRE, can you assign one directly, since this request pre-dates the
requirement of going through the web form, or should I resubmit there
anyway ?

> > the Debian Security Team would like to request a CVE for an XML XEE
> > discovered in Openpyxl by Marcin Ulikowski from F-Secure; Openpyxl
> > resolves external entities by default:
> >
> >   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854442
> >   https://bitbucket.org/openpyxl/openpyxl/commits/3b4905f428e1
>
> Also: https://bitbucket.org/openpyxl/openpyxl/issues/749

> Sorry about muddying the water with misunderstanding(s).  The tricky
> part of CVE-2016-9318 seems to be particular requirements of
> components like xmlsec that want internal entity resolution without
> XXE, or DTD validation without exposing the whole filesystem.

No problem at all, the overall implications of CVE-2016-9318 and entity
resolution are indeed pretty complex.

Cheers,

--Seb