Red Hat Bugzilla – Bug 1094619
CVE-2014-3242 SOAPpy: XML External Entity (XXE) flaw
Last modified: 2015-03-04 11:11:07 EST
An XML External Entity (XXE) flaw was found in SOAPpy. This could allow a remote attacker to read local files accessible to a server application that uses SOAPpy. Original report: http://www.pnigos.com/?p=260 CVE request: http://seclists.org/oss-sec/2014/q2/249 Note that SOAPpy is not actively supported by upstream anymore.
I've not filed a Fedora or EPEL bug for this (or for bug 1094620), as there is no patch yet from what I can see
Christian Heimes has done some good work with these security issues and the python stdlib. Since SOAPpy uses sax.xml, this may be of particular use for resolving this: https://pypi.python.org/pypi/defusedxml/0.4#settings-in-standard-library Do note that these flaws are inherent in the XML specification. So ideally we can mitigate them by default but leave the programmer with an option to turn the insecure behaviour back on.
MITRE assigned CVE-2014-3242 to this issue: http://www.openwall.com/lists/oss-security/2014/05/06/9
(In reply to Toshio Ernie Kuratomi from comment #2) > Christian Heimes has done some good work with these security issues and the > python stdlib. > > Since SOAPpy uses sax.xml, this may be of particular use for resolving this: > > https://pypi.python.org/pypi/defusedxml/0.4#settings-in-standard-library > > Do note that these flaws are inherent in the XML specification. So ideally > we can mitigate them by default but leave the programmer with an option to > turn the insecure behaviour back on. Thanks!
Another data point: SOAPpy is required by: $ repoquery -q --whatrequires SOAPpy [master] (14:09:08) python-twisted-web-0:12.2.0-3.fc20.x86_64 pytrainer-0:1.9.1-5.fc20.noarch I talked to the twisted folks and they didn't think that anyone would be using the soap interface in twisted. So they suggested that we remove the dependency (and possibly the module) within twisted: /usr/lib64/python2.7/site-packages/twisted/web/soap.py* /usr/lib64/python2.7/site-packages/twisted/web/test/test_soap.py* <glyph> abadger1999: I don't even think we say it's an optional dependency anywhere <glyph> abadger1999: If you wanted to deprecate and delete twisted.web.soap I don't think _anyone_ would complain <abadger1999> glyph: So we could just rm twisted.web.soap and everything else will be fine? <glyph> abadger1999: well, let me put it this way <itamar> is soappy unmaintained? <abadger1999> itamar: it looks very unmaintained, yeah. <itamar> so at least file a ticket against twisted saying "soappy is unmaintained and insecure" so we can deprecate it upstream <abadger1999> itamar: k. <glyph> abadger1999: I develop Twisted quite a bit <glyph> abadger1999: https://asciinema.org/a/9538 <glyph> abadger1999: and that's what my Twisted environment looks like <glyph> abadger1999: you don't even _need_ to 'rm twisted.web.soap' <glyph> abadger1999: just make the dependency optional <abadger1999> glyph: haha :-) <abadger1999> glyph: that's excellent :-) <glyph> abadger1999: I would ask that you don't just delete it, we really like to discourage packagers from making random modifications While looking into just how unmaintained SOAPpy was, I ran across this: * https://pypi.python.org/pypi/SOAPpy/0.12.5 * https://github.com/kiorky/SOAPpy.git So it's possible we could report an issue there and it would be resolved. If it doesn't get addressed upstream we probably want to file a ticket for twisted to look into removing their SOAP module or porting to a better maintained library.
This was fixed upstream in 0.12.6, via the following commit: https://github.com/kiorky/SOAPpy/commit/a386568 Note that the fix was changed by the subsequent commit to fix the billion laughs issue (bug 1094620): https://github.com/kiorky/SOAPpy/commit/64125a2
Created SOAPpy tracking bugs for this issue: Affects: fedora-all [bug 1178862] Affects: epel-5 [bug 1178863]