Bug 1000110 (CVE-2013-0341)

Summary: expat: external entity expansion
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: erik-fedora, jkurik, jorton, rjones
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-08-28 09:50:35 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1000112    

Description Vincent Danen 2013-08-22 17:34:29 UTC 
As reported on oss-security [1]:

So here are the CVE's for the two big ones, libxml2 and expat. Both
are affected by the expansion of internal entities (which can be used
to consume resources) and external entities (which can cause a denial
of service against other services, be used to port scan, etc.).

To be clear:
...
====================
External entity expansion refers to the loading of external resources
such as XML entities from another server or a local file:
====================
<!DOCTYPE external [
<!ENTITY ee SYSTEM "http://www.example.org/some.xml">
]>
<root>&ee;</root>


<!DOCTYPE external [
<!ENTITY ee SYSTEM "file:///PATH/TO/simple.xml">
]>
<root>&ee;</root>

Which can cause resources to be consumed or can result in port
scanning /application scanning information being sent to the attacker.
...
Please use CVE-2013-0341 for expat external entities expansion


There is, however, some debate on whether expat resolves external entities at all, which would make the vulnerability inside code which uses expat [2].


[1] http://www.openwall.com/lists/oss-security/2013/02/22/4
[2] http://www.openwall.com/lists/oss-security/2013/02/22/21
Comment 1 Huzaifa S. Sidhpurwala 2013-08-28 09:50:35 UTC 
Expat does not read or parse external entities directly. The developer using expat has to explicitly set ExternalEntityRefHandler, then create "a subsidiary parser with XML_ExternalEntityParserCreate".

This flaw can be mitigated by not expanding external entities, specially the ones which come from untrusted sources.

Therefore expat by default does not expand external entities and provides a mechanism for applications using it, to disable such expansion via the API

Closing this flaw as wontfix.

Based on a similar reason, MITRE has decided to reject the CVE id associated with this flaw.