987572 – (CVE-2016-5851) VUL-0: CVE-2016-5851: python-docx: XML External Entity Attack

Bug 987572 (CVE-2016-5851) - VUL-0: CVE-2016-5851: python-docx: XML External Entity Attack

Summary: VUL-0: CVE-2016-5851: python-docx: XML External Entity Attack

Status:	RESOLVED FIXED

Alias:	CVE-2016-5851

Product:	openSUSE.org
Classification:	openSUSE
Component:	3rd party software (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Major (vote)
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	E-mail List

URL:	https://smash.suse.de/issue/170554/
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2016-07-04 13:43 UTC by Andreas Stieger
Modified:	2017-10-26 07:17 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Andreas Stieger 2016-07-04 13:43:57 UTC

Courtesy bug for devel:languages:python/python-docx:

http://seclists.org/oss-sec/2016/q2/617

The python-docx package is vulnerable to XML External Entity attacks (XXE).

Version 0.8.6 (https://github.com/python-openxml/python-docx/releases/tag/v0.8.6)
contains a fix.

Poc is at http://seclists.org/oss-sec/2016/q2/618


References:
https://bugzilla.redhat.com/show_bug.cgi?id=1351082
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5851
http://seclists.org/oss-sec/2016/q2/618

Comment 1 Swamp Workflow Management 2016-07-04 22:00:59 UTC

bugbot adjusting priority

Comment 2 Jan Matejek 2017-08-11 13:34:18 UTC

Package was community maintained, untouched in 2 years, not in Factory. Resolved by dropping package.

Comment 3 Marcus Meissner 2017-10-26 07:17:04 UTC

so its fixed ;)