Bug 805236 (CVE-2013-0340) - VUL-0: CVE-2013-0340/CVE-2013-0341: expat: entity expansion DoS/exploits
Summary: VUL-0: CVE-2013-0340/CVE-2013-0341: expat: entity expansion DoS/exploits
Status: RESOLVED WONTFIX
Alias: CVE-2013-0340
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Vojtech Dziewiecki
QA Contact: Security Team bot
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-02-22 13:28 UTC by Marcus Meissner
Modified: 2021-05-24 10:48 UTC (History)
5 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2013-02-22 13:28:38 UTC 
is public, via oss-security and other researchers


From: Kurt Seifried <kseifried@redhat.com>
Subject: [oss-security] CVEs for libxml2 and expat internal and external XML entity expansion
Date: Thu, 21 Feb 2013 22:44:40 -0700

So here are the CVE's for the two big ones, libxml2 and expat. Both
are affected by the expansion of internal entities (which can be used
to consume resources) and external entities (which can cause a denial
of service against other services, be used to port scan, etc.).

To be clear:

====================
Internal entity expansion refers to the exponential/quadratic/fast
linear expansion of XML entities, e.g.:
====================
<!DOCTYPE xmlbomb [
<!ENTITY a "1234567890" >
<!ENTITY b "&a;&a;&a;&a;&a;&a;&a;&a;">
<!ENTITY c "&b;&b;&b;&b;&b;&b;&b;&b;">
<!ENTITY d "&c;&c;&c;&c;&c;&c;&c;&c;">
]>
<bomb>&d;</bomb>

or

<!DOCTYPE bomb [
<!ENTITY a "xxxxxxx... a couple of ten thousand chars">
]>
<bomb>&a;&a;&a;... repeat</bomb>

Which causes resources to be consumed



====================
External entity expansion refers to the loading of external resources
such as XML entities from another server or a local file:
====================
<!DOCTYPE external [
<!ENTITY ee SYSTEM "http://www.example.org/some.xml">
]>
<root>&ee;</root>


<!DOCTYPE external [
<!ENTITY ee SYSTEM "file:///PATH/TO/simple.xml">
]>
<root>&ee;</root>

Which can cause resources to be consumed or can result in port
scanning /application scanning information being sent to the attacker.

So the CVE's to use:

Please use CVE-2013-0340 for expat internal entity expansion
Please use CVE-2013-0341 for expat external entities expansion
Comment 1 Marcus Meissner 2013-02-22 13:30:33 UTC 
as for libxml2, we need to decide:

- do we change the default settings of expat?

  should probably more done by upstream

- or do we change the behaviour of the using libraries/programs
Comment 2 Swamp Workflow Management 2013-02-22 23:00:33 UTC 
bugbot adjusting priority
Comment 6 Marcus Meissner 2014-07-28 15:01:53 UTC 
To avoid breaking applications by a library change, we are defering this problem to the users of expat. They can mitigate this issue by calling the XML_SetEntityDeclHandler() function with the name of an alternative function that can handle entities more safely.

We will not fix these issues in expat at this time.