Bug 913808 - (CVE-2013-1664) CVE-2013-1664 Python xml bindings: Internal entity expansion in Python XML libraries inflicts DoS vulnerabilities
CVE-2013-1664 Python xml bindings: Internal entity expansion in Python XML li...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20130219,repor...
: Reopened, Security
: 910221 (view as bug list)
Depends On: 910221 910222 910224 910232 913054 917199 917200
Blocks: 910225 916494 916496 916499 916886 1067315
  Show dependency treegraph
 
Reported: 2013-02-22 01:47 EST by Kurt Seifried
Modified: 2016-08-23 02:39 EDT (History)
27 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-08-03 02:19:09 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Kurt Seifried 2013-02-22 01:47:58 EST
Christian Heimes <christian@python.org> reports:

Entity declarations can contain more than just text for replacement. 

billion laughs / exponential entity expansion

The Billion Laughs attack -- also known as exponential entity expansion -- 
uses multiple levels of nested entities. The original example uses 9 levels of 
10 expansions in each level to expand the string lol to a string of 3 * 10 9 
bytes, hence the name "billion laughs". The resulting string occupies 3 GB 
(2.79 GiB) of memory; intermediate strings require additional memory. Because 
most parsers don't cache the intermediate step for every expansion it is 
repeated over and over again. It increases the CPU load even more.

An XML document of just a few hundred bytes can disrupt all services on a 
machine within seconds.

quadratic blowup entity expansion

A quadratic blowup attack is similar to a Billion Laughs attack; it abuses 
entity expansion, too. Instead of nested entities it repeats one large entity 
with a couple of ten thousand chars over and over again. The attack isn't as 
efficient as the exponential case but it avoids triggering countermeasures of 
parsers against heavily nested entities. Some parsers limit the depth and 
breadth of a single entity but not the total amount of expanded text 
throughout an entire XML document.

A medium-sized XML document with a couple of hundred kilobytes can require a 
couple of hundred MB to several GB of memory. When the attack is combined with 
some level of nested expansion an attacker is able to achieve a higher ratio 
of success.

External reference:
http://blog.python.org/2013/02/announcing-defusedxml-fixes-for-xml.html
Comment 5 Kurt Seifried 2013-03-04 14:17:51 EST
*** Bug 910221 has been marked as a duplicate of this bug. ***
Comment 6 errata-xmlrpc 2013-03-05 16:02:02 EST
This issue has been addressed in following products:

  OpenStack Folsom for RHEL 6

Via RHSA-2013:0596 https://rhn.redhat.com/errata/RHSA-2013-0596.html
Comment 7 errata-xmlrpc 2013-03-21 14:13:11 EDT
This issue has been addressed in following products:

  OpenStack Folsom for RHEL 6

Via RHSA-2013:0670 https://rhn.redhat.com/errata/RHSA-2013-0670.html
Comment 8 errata-xmlrpc 2013-03-21 14:13:41 EDT
This issue has been addressed in following products:

  OpenStack Folsom for RHEL 6

Via RHSA-2013:0658 https://rhn.redhat.com/errata/RHSA-2013-0658.html
Comment 9 errata-xmlrpc 2013-03-21 14:16:45 EDT
This issue has been addressed in following products:

  OpenStack Folsom for RHEL 6

Via RHSA-2013:0657 https://rhn.redhat.com/errata/RHSA-2013-0657.html
Comment 10 Huzaifa S. Sidhpurwala 2015-08-03 02:15:40 EDT
Python’s interfaces for processing XML are grouped in the xml module, which is a part of the python package. The XML modules are not secure against erroneous or maliciously constructed data, and such data should not be directly parsed via python's xml modules.

This is clearly documented at:
https://docs.python.org/2/library/xml.html
https://docs.python.org/2/library/xml.html#xml-vulnerabilities

Python upstream suggests the use of "defusedxml" packages, but they break backward compatibility.


Statement:

This issue affects the versions of python as shipped with Red Hat Enterprise Linux 5, 6 and 7. Red Hat Product Security has rated this issue as having Moderate security impact. This issue is not currently planned to be addressed in future updates.

Note You need to log in before you can comment on or make changes to this bug.