Bug 1094619 (CVE-2014-3242) - CVE-2014-3242 SOAPpy: XML External Entity (XXE) flaw
Summary: CVE-2014-3242 SOAPpy: XML External Entity (XXE) flaw
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2014-3242
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1178862 1178863
Blocks: 1094623
TreeView+ depends on / blocked
 
Reported: 2014-05-06 07:17 UTC by Murray McAllister
Modified: 2019-09-29 13:17 UTC (History)
5 users (show)

Fixed In Version: SOAPpy 0.12.6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-08 02:32:57 UTC
Embargoed:


Attachments (Terms of Use)

Description Murray McAllister 2014-05-06 07:17:50 UTC
An XML External Entity (XXE) flaw was found in SOAPpy. This could allow a remote attacker to read local files accessible to a server application that uses SOAPpy.

Original report: http://www.pnigos.com/?p=260

CVE request: http://seclists.org/oss-sec/2014/q2/249

Note that SOAPpy is not actively supported by upstream anymore.

Comment 1 Murray McAllister 2014-05-06 07:21:32 UTC
I've not filed a Fedora or EPEL bug for this (or for bug 1094620), as there is no patch yet from what I can see

Comment 2 Toshio Ernie Kuratomi 2014-05-06 21:22:19 UTC
Christian Heimes has done some good work with these security issues and the python stdlib.

Since SOAPpy uses sax.xml, this may be of particular use for resolving this:

https://pypi.python.org/pypi/defusedxml/0.4#settings-in-standard-library

Do note that these flaws are inherent in the XML specification.  So ideally we can mitigate them by default but leave the programmer with an option to turn the insecure behaviour back on.

Comment 3 Murray McAllister 2014-05-07 00:54:50 UTC
MITRE assigned CVE-2014-3242 to this issue:

http://www.openwall.com/lists/oss-security/2014/05/06/9

Comment 4 Murray McAllister 2014-05-07 00:56:08 UTC
(In reply to Toshio Ernie Kuratomi from comment #2)
> Christian Heimes has done some good work with these security issues and the
> python stdlib.
> 
> Since SOAPpy uses sax.xml, this may be of particular use for resolving this:
> 
> https://pypi.python.org/pypi/defusedxml/0.4#settings-in-standard-library
> 
> Do note that these flaws are inherent in the XML specification.  So ideally
> we can mitigate them by default but leave the programmer with an option to
> turn the insecure behaviour back on.

Thanks!

Comment 6 Toshio Ernie Kuratomi 2014-05-13 21:30:30 UTC
Another data point: SOAPpy is required by:

$ repoquery -q --whatrequires SOAPpy                   [master]  (14:09:08)
python-twisted-web-0:12.2.0-3.fc20.x86_64
pytrainer-0:1.9.1-5.fc20.noarch

I talked to the twisted folks and they didn't think that anyone would be using the soap interface in twisted.  So they suggested that we remove the dependency (and possibly the module) within twisted:

/usr/lib64/python2.7/site-packages/twisted/web/soap.py*
/usr/lib64/python2.7/site-packages/twisted/web/test/test_soap.py*

<glyph> abadger1999: I don't even think we say it's an optional dependency anywhere
<glyph> abadger1999: If you wanted to deprecate and delete twisted.web.soap I don't think _anyone_ would complain
<abadger1999> glyph: So we could just rm twisted.web.soap and everything else will be fine?
<glyph> abadger1999: well, let me put it this way
<itamar> is soappy unmaintained?
<abadger1999> itamar: it looks very unmaintained, yeah.
<itamar> so at least file a ticket against twisted saying "soappy is unmaintained and insecure" so we can deprecate it upstream
<abadger1999> itamar: k.
<glyph> abadger1999: I develop Twisted quite a bit
<glyph> abadger1999: https://asciinema.org/a/9538
<glyph> abadger1999: and that's what my Twisted environment looks like
<glyph> abadger1999: you don't even _need_ to 'rm twisted.web.soap'
<glyph> abadger1999: just make the dependency optional
<abadger1999> glyph: haha :-)
<abadger1999> glyph: that's excellent :-)
<glyph> abadger1999: I would ask that you don't just delete it, we really like to discourage packagers from making random modifications



While looking into just how unmaintained SOAPpy was, I ran across this: 
* https://pypi.python.org/pypi/SOAPpy/0.12.5
* https://github.com/kiorky/SOAPpy.git

So it's possible we could report an issue there and it would be resolved.

If it doesn't get addressed upstream we probably want to file a ticket for twisted to look into removing their SOAP module or porting to a better maintained library.

Comment 8 Tomas Hoger 2015-01-05 13:02:39 UTC
This was fixed upstream in 0.12.6, via the following commit:

https://github.com/kiorky/SOAPpy/commit/a386568

Note that the fix was changed by the subsequent commit to fix the billion laughs issue (bug 1094620):

https://github.com/kiorky/SOAPpy/commit/64125a2

Comment 9 Tomas Hoger 2015-01-05 14:56:04 UTC
Created SOAPpy tracking bugs for this issue:

Affects: fedora-all [bug 1178862]
Affects: epel-5 [bug 1178863]


Note You need to log in before you can comment on or make changes to this bug.