Bug 1094619 (CVE-2014-3242)

Summary: CVE-2014-3242 SOAPpy: XML External Entity (XXE) flaw
Product: [Other] Security Response Reporter: Murray McAllister <mmcallis>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: a.badger, carnil, jkurik, pingou, python-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: SOAPpy 0.12.6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 02:32:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1178862, 1178863    
Bug Blocks: 1094623    

Description Murray McAllister 2014-05-06 07:17:50 UTC 
An XML External Entity (XXE) flaw was found in SOAPpy. This could allow a remote attacker to read local files accessible to a server application that uses SOAPpy.

Original report: http://www.pnigos.com/?p=260

CVE request: http://seclists.org/oss-sec/2014/q2/249

Note that SOAPpy is not actively supported by upstream anymore.
Comment 1 Murray McAllister 2014-05-06 07:21:32 UTC 
I've not filed a Fedora or EPEL bug for this (or for bug 1094620), as there is no patch yet from what I can see
Comment 2 Toshio Ernie Kuratomi 2014-05-06 21:22:19 UTC 
Christian Heimes has done some good work with these security issues and the python stdlib.

Since SOAPpy uses sax.xml, this may be of particular use for resolving this:

https://pypi.python.org/pypi/defusedxml/0.4#settings-in-standard-library

Do note that these flaws are inherent in the XML specification.  So ideally we can mitigate them by default but leave the programmer with an option to turn the insecure behaviour back on.
Comment 3 Murray McAllister 2014-05-07 00:54:50 UTC 
MITRE assigned CVE-2014-3242 to this issue:

http://www.openwall.com/lists/oss-security/2014/05/06/9
Comment 4 Murray McAllister 2014-05-07 00:56:08 UTC 
(In reply to Toshio Ernie Kuratomi from comment #2)
> Christian Heimes has done some good work with these security issues and the
> python stdlib.
> 
> Since SOAPpy uses sax.xml, this may be of particular use for resolving this:
> 
> https://pypi.python.org/pypi/defusedxml/0.4#settings-in-standard-library
> 
> Do note that these flaws are inherent in the XML specification.  So ideally
> we can mitigate them by default but leave the programmer with an option to
> turn the insecure behaviour back on.

Thanks!
Comment 6 Toshio Ernie Kuratomi 2014-05-13 21:30:30 UTC 
Another data point: SOAPpy is required by:

$ repoquery -q --whatrequires SOAPpy                   [master]  (14:09:08)
python-twisted-web-0:12.2.0-3.fc20.x86_64
pytrainer-0:1.9.1-5.fc20.noarch

I talked to the twisted folks and they didn't think that anyone would be using the soap interface in twisted.  So they suggested that we remove the dependency (and possibly the module) within twisted:

/usr/lib64/python2.7/site-packages/twisted/web/soap.py*
/usr/lib64/python2.7/site-packages/twisted/web/test/test_soap.py*

<glyph> abadger1999: I don't even think we say it's an optional dependency anywhere
<glyph> abadger1999: If you wanted to deprecate and delete twisted.web.soap I don't think _anyone_ would complain
<abadger1999> glyph: So we could just rm twisted.web.soap and everything else will be fine?
<glyph> abadger1999: well, let me put it this way
<itamar> is soappy unmaintained?
<abadger1999> itamar: it looks very unmaintained, yeah.
<itamar> so at least file a ticket against twisted saying "soappy is unmaintained and insecure" so we can deprecate it upstream
<abadger1999> itamar: k.
<glyph> abadger1999: I develop Twisted quite a bit
<glyph> abadger1999: https://asciinema.org/a/9538
<glyph> abadger1999: and that's what my Twisted environment looks like
<glyph> abadger1999: you don't even _need_ to 'rm twisted.web.soap'
<glyph> abadger1999: just make the dependency optional
<abadger1999> glyph: haha :-)
<abadger1999> glyph: that's excellent :-)
<glyph> abadger1999: I would ask that you don't just delete it, we really like to discourage packagers from making random modifications



While looking into just how unmaintained SOAPpy was, I ran across this: 
* https://pypi.python.org/pypi/SOAPpy/0.12.5
* https://github.com/kiorky/SOAPpy.git

So it's possible we could report an issue there and it would be resolved.

If it doesn't get addressed upstream we probably want to file a ticket for twisted to look into removing their SOAP module or porting to a better maintained library.
Comment 8 Tomas Hoger 2015-01-05 13:02:39 UTC 
This was fixed upstream in 0.12.6, via the following commit:

https://github.com/kiorky/SOAPpy/commit/a386568

Note that the fix was changed by the subsequent commit to fix the billion laughs issue (bug 1094620):

https://github.com/kiorky/SOAPpy/commit/64125a2
Comment 9 Tomas Hoger 2015-01-05 14:56:04 UTC 
Created SOAPpy tracking bugs for this issue:

Affects: fedora-all [bug 1178862]
Affects: epel-5 [bug 1178863]