Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1411794 - (CVE-2016-10127) CVE-2016-10127 python-pysaml2: Vulnerable to XML external entity attack
CVE-2016-10127 python-pysaml2: Vulnerable to XML external entity attack
Status: CLOSED NOTABUG
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20170110,repor...
: Security
Depends On: CVE-2016-9318
Blocks: 1411796
  Show dependency treegraph
 
Reported: 2017-01-10 08:54 EST by Andrej Nemec
Modified: 2017-03-30 21:24 EDT (History)
22 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-03-29 23:59:19 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Andrej Nemec 2017-01-10 08:54:52 EST 
It was found that python-pysaml2 is vulnerable to an XML external entity attack. python-pysaml2 does not sanitize SAML XML requests or responses.

References:

http://seclists.org/oss-sec/2017/q1/50
https://bugs.debian.org/850716

Upstream bug:

https://github.com/rohe/pysaml2/issues/366

Proposed patch (! actually fixes Bug 1415710):

https://github.com/rohe/pysaml2/pull/379
Comment 1 Andrej Nemec 2017-01-11 04:08:43 EST 
CVE assignment:

http://seclists.org/oss-sec/2017/q1/58
Comment 10 Lon Hohberger 2017-01-24 13:32:32 EST 
John, one note for OpenStack builds:

https://github.com/openstack/requirements/blob/master/global-requirements.txt#L210

If you rebase to a version > 4.0.2, you *must* also merge this patch:

https://github.com/rohe/pysaml2/pull/385
Comment 11 Lon Hohberger 2017-01-24 13:37:38 EST 
Note that the proposed patch requires a new package, python-defusedxml, to be added on releases which did not previously include it.
Comment 12 Doran Moppert 2017-01-24 19:53:51 EST 
(In reply to Lon Hohberger from comment #11)
> Note that the proposed patch requires a new package, python-defusedxml, to
> be added on releases which did not previously include it.

Well spotted Lon.

It turns out this patch actually fixes the incorrect flaw.  The patch referenced in comment 0 addresses bug 1415710 (CVE-2016-10149) - there is currently no proposed fix for CVE-2016-10127.

There may be a partial fix for this flaw in passing resolve_entities=False to lxml *if* SAML can operate correctly without the use of entities.  I say "partial" because pySAML also uses xmlsec, which presently has no such mitigation.


A proper root cause fix will come from bug 1395609 (libxml2), once the patch under development there has been verified by the developers.
Comment 15 Alan Pevec 2017-03-17 08:13:34 EDT 
Based on comment 12 fix for this depends on yet unresolved libxml2 bug 1395609 and previous product BZ clones were moved to block new CVE-2016-10149 for which there is a fix.
Comment 17 Summer Long 2017-03-30 00:01:30 EDT 
Statement:

This flaw resides in the XML Security Library (xmlsec1) and will be updated there; Red Hat OpenStack Platform is not affected.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.