Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 458742 (CVE-2013-0340) - <dev-libs/expat-2.1.1-r1: Internal/external entity expansion (CVE-2013-0340)
Summary: <dev-libs/expat-2.1.1-r1: Internal/external entity expansion (CVE-2013-0340)
Status: RESOLVED FIXED
Alias: CVE-2013-0340
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: A3 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-02-22 13:59 UTC by Agostino Sarubbo
Modified: 2021-05-23 19:09 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-02-22 13:59:20 UTC
From ${URL} :

So here are the CVE's for the two big ones, libxml2 and expat. Both
are affected by the expansion of internal entities (which can be used
to consume resources) and external entities (which can cause a denial
of service against other services, be used to port scan, etc.).

To be clear:

====================
Internal entity expansion refers to the exponential/quadratic/fast
linear expansion of XML entities, e.g.:
====================
<!DOCTYPE xmlbomb [
<!ENTITY a "1234567890" >
<!ENTITY b "&a;&a;&a;&a;&a;&a;&a;&a;">
<!ENTITY c "&b;&b;&b;&b;&b;&b;&b;&b;">
<!ENTITY d "&c;&c;&c;&c;&c;&c;&c;&c;">
]>
<bomb>&d;</bomb>

or

<!DOCTYPE bomb [
<!ENTITY a "xxxxxxx... a couple of ten thousand chars">
]>
<bomb>&a;&a;&a;... repeat</bomb>

Which causes resources to be consumed



====================
External entity expansion refers to the loading of external resources
such as XML entities from another server or a local file:
====================
<!DOCTYPE external [
<!ENTITY ee SYSTEM "http://www.example.org/some.xml">
]>
<root>&ee;</root>


<!DOCTYPE external [
<!ENTITY ee SYSTEM "file:///PATH/TO/simple.xml">
]>
<root>&ee;</root>

Which can cause resources to be consumed or can result in port
scanning /application scanning information being sent to the attacker.


So the CVE's to use:
Please use CVE-2013-0340 for expat internal entity expansion

Please use CVE-2013-0341 for expat external entities expansion
Comment 1 Chris Reffett (RETIRED) gentoo-dev Security 2013-07-07 16:43:41 UTC
Not on red hat bugzie and haven't seen any suggested patches (if there are any).
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2014-02-04 14:08:30 UTC
CVE-2013-0340 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0340):
  expat 2.1.0 and earlier does not properly handle entities expansion unless
  an application developer uses the XML_SetEntityDeclHandler function, which
  allows remote attackers to cause a denial of service (resource consumption),
  send HTTP requests to intranet servers, or read arbitrary files via a
  crafted XML document, aka an XML External Entity (XXE) issue.  NOTE: it
  could be argued that because expat already provides the ability to disable
  external entity expansion, the responsibility for resolving this issue lies
  with application developers; according to this argument, this entry should
  be REJECTed, and each affected application would need its own CVE.
Comment 3 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-03-01 05:48:16 UTC
https://bugzilla.redhat.com/show_bug.cgi?id=1000109 some additional information as no patches have been offered by upstream.  Packages which are linked can mitigate this issue.  May need a tracking bug to mitigate this on all rdeps.
Comment 4 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-06-28 03:44:13 UTC
CVE-2013-0341 was withdrawn by the CNA.

2.1.1-r1 is latest stable that is unaffected.

Added to existing GLSA.
Comment 5 Thomas Deutschmann gentoo-dev Security 2016-12-23 16:45:10 UTC
I missed comment #4...
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2017-01-11 12:13:40 UTC
This issue was resolved and addressed in
 GLSA 201701-21 at https://security.gentoo.org/glsa/201701-21
by GLSA coordinator Aaron Bauman (b-man).