Bug 1000110 - (CVE-2013-0341) expat: external entity expansion
expat: external entity expansion
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On:
Blocks: 1000112
  Show dependency treegraph
Reported: 2013-08-22 13:34 EDT by Vincent Danen
Modified: 2015-07-31 03:10 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-08-28 05:50:35 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2013-08-22 13:34:29 EDT
As reported on oss-security [1]:

So here are the CVE's for the two big ones, libxml2 and expat. Both
are affected by the expansion of internal entities (which can be used
to consume resources) and external entities (which can cause a denial
of service against other services, be used to port scan, etc.).

To be clear:
External entity expansion refers to the loading of external resources
such as XML entities from another server or a local file:
<!DOCTYPE external [
<!ENTITY ee SYSTEM "http://www.example.org/some.xml">

<!DOCTYPE external [
<!ENTITY ee SYSTEM "file:///PATH/TO/simple.xml">

Which can cause resources to be consumed or can result in port
scanning /application scanning information being sent to the attacker.
Please use CVE-2013-0341 for expat external entities expansion

There is, however, some debate on whether expat resolves external entities at all, which would make the vulnerability inside code which uses expat [2].

[1] http://www.openwall.com/lists/oss-security/2013/02/22/4
[2] http://www.openwall.com/lists/oss-security/2013/02/22/21
Comment 1 Huzaifa S. Sidhpurwala 2013-08-28 05:50:35 EDT
Expat does not read or parse external entities directly. The developer using expat has to explicitly set ExternalEntityRefHandler, then create "a subsidiary parser with XML_ExternalEntityParserCreate".

This flaw can be mitigated by not expanding external entities, specially the ones which come from untrusted sources.

Therefore expat by default does not expand external entities and provides a mechanism for applications using it, to disable such expansion via the API

Closing this flaw as wontfix.

Based on a similar reason, MITRE has decided to reject the CVE id associated with this flaw.

Note You need to log in before you can comment on or make changes to this bug.