Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Help protect against billion laughs attack (for when XML entities need to be supported) #34

Closed
hartwork opened this issue May 31, 2017 · 9 comments · Fixed by #466
Closed

Help protect against billion laughs attack (for when XML entities need to be supported) #34

hartwork opened this issue May 31, 2017 · 9 comments · Fixed by #466
Labels
enhancement security

Comments

@hartwork
Copy link
Member

hartwork commented May 31, 2017
edited
Loading

(The latest version of) https://github.com/tiran/expat_cvs/commits/xmlbomb should be assessed for integratability.

Branch defusedexpat-2.1.0 in here has his patch (with path fixes to match our file layout) for more convenient inspection.
@hartwork hartwork added this to the 2.3.0 milestone Jun 4, 2017
@hartwork hartwork mentioned this issue Jun 16, 2017
Closed
@BigBadaboom BigBadaboom mentioned this issue Jan 29, 2018
Closed
@andy9a9
Copy link

andy9a9 commented Jul 30, 2018

Hello everyone,
I would like to ask, what is the current status of this issue? Is it possible to create new release with your proposal patches?

Thanks

@hartwork
Copy link
Member Author

For a quick reply: it's not something we could just apply and merge without risk of breaking things and without additional resources.

@hartwork
Copy link
Member Author

I should mention that this new feature should have dedicated tests and there are none, yet.

@kwaclaw
Copy link
Contributor

kwaclaw commented Jul 31, 2018 via email

@hartwork
Copy link
Member Author

Isn't the usual mitigation to disable DTD processing?

Could it be that you're referring to disabling support for external entities here?
I don't think we want to disable support for XML entities by default. To me this ticket is about getting all users safe from DoS by default while keeping support for XML entities intact. I'll adjust the ticket title to make that more clear in a second.

@hartwork hartwork changed the title Help protect against billion laughs attack Help protect against billion laughs attack (for when XML entities need to be supported) Jul 31, 2018
@kwaclaw
Copy link
Contributor

kwaclaw commented Aug 3, 2018

Dont you need DTD processing turned on to expand entities? I remember from way back that for Expat the simple remedy for the million XXX attack was to disable DTD processing. See https://blog.didierstevens.com/2008/09/23/dismantling-an-xml-bomb/.

@hartwork
Copy link
Member Author

hartwork commented Aug 3, 2018

I believe you do, yes. Turning DTD off is simple but not nice.

@kwaclaw
Copy link
Contributor

kwaclaw commented Aug 3, 2018

I also remember that at one time we had discussed to rework the memory allocation functions so that we could track the memory allocated for the parser instance. That would have allowed us to simply stop when a specific threshold was exceeded.

@hartwork
Copy link
Member Author

hartwork commented Aug 3, 2018
edited
Loading

I think we have discussed that before and I remember just tracking memory usage was too simple in some regard. Would need to look it up.

@hartwork hartwork mentioned this issue Sep 15, 2018
Closed
3 tasks
tiran added a commit to tiran/libexpat that referenced this issue Sep 19, 2018
@tiran
Limit entity expansion to prevent DoS attacks
818f4b0 
libexpat is vulnerable to billion laughs and quadratic blowup DoS attacks.
processInternalEntity() function now limits entity expansion and
nesting in three ways:

* Entity nesting is limited to three levels of recursion.
* Total length of an entity is limited to 1023 bytes.
* The ratio of entity expansion to processed bytes cannot exceed 1:10.

The mitigation is enabled by default and can be disabled with
XML_SetOptions(parser, XML_OPTION_HUGE_ENTITES).

The xmlwf command has a new option -H to enable huge entities.

The new entity expansion limits cause one test to fail. The XML test
file tests/xmlconf/xmltest/valid/ext-sa/012.xml has five levels of
entity expansion.

Fixes: libexpat#34
Fixes: libexpat#46
Signed-off-by: Christian Heimes <christian@python.org>
tiran added a commit to tiran/libexpat that referenced this issue Sep 19, 2018
@tiran
Limit entity expansion to prevent DoS attacks
86d4067 
libexpat is vulnerable to billion laughs and quadratic blowup DoS attacks.
processInternalEntity() function now limits entity expansion and
nesting in three ways:

* Entity nesting is limited to three levels of recursion.
* Total length of an entity is limited to 1023 bytes.
* The ratio of entity expansion to processed bytes cannot exceed 1:10.

The mitigation is enabled by default and can be disabled with
XML_SetOptions(parser, XML_OPTION_HUGE_ENTITES).

The xmlwf command has a new option -H to enable huge entities.

The new entity expansion limits cause one test to fail. The XML test
file tests/xmlconf/xmltest/valid/ext-sa/012.xml has five levels of
entity expansion.

Fixes: libexpat#34
Fixes: libexpat#46
Signed-off-by: Christian Heimes <christian@python.org>
tiran added a commit to tiran/libexpat that referenced this issue Sep 19, 2018
@tiran
Limit entity expansion to prevent DoS attacks
32ed8dd 
libexpat is vulnerable to billion laughs and quadratic blowup DoS attacks.
processInternalEntity() function now limits entity expansion and
nesting in three ways:

* Entity nesting is limited to three levels of recursion.
* Total length of an entity is limited to 1023 bytes.
* The ratio of entity expansion to processed bytes cannot exceed 1:10.

The mitigation is enabled by default and can be disabled with
XML_SetOptions(parser, XML_OPTION_HUGE_ENTITES).

The xmlwf command has a new option -H to enable huge entities.

The new entity expansion limits cause one test to fail. The XML test
file tests/xmlconf/xmltest/valid/ext-sa/012.xml has five levels of
entity expansion.

Fixes: libexpat#34
Fixes: libexpat#46
Signed-off-by: Christian Heimes <christian@python.org>
tiran added a commit to tiran/libexpat that referenced this issue Sep 19, 2018
@tiran
Limit entity expansion to prevent DoS attacks
713b803 
libexpat is vulnerable to billion laughs and quadratic blowup DoS attacks.
processInternalEntity() function now limits entity expansion and
nesting in three ways:

* Entity nesting is limited to three levels of recursion.
* Total length of an entity is limited to 1023 bytes.
* The ratio of entity expansion to processed bytes cannot exceed 1:10.

The mitigation is enabled by default and can be disabled with
XML_SetOptions(parser, XML_OPTION_HUGE_ENTITES).

The xmlwf command has a new option -H to enable huge entities.

The new entity expansion limits cause one test to fail. The XML test
file tests/xmlconf/xmltest/valid/ext-sa/012.xml has five levels of
entity expansion.

Fixes: libexpat#34
Fixes: libexpat#46
Signed-off-by: Christian Heimes <christian@python.org>
tiran added a commit to tiran/libexpat that referenced this issue Sep 20, 2018
@tiran
Limit entity expansion to prevent DoS attacks
12a4526 
libexpat is vulnerable to billion laughs and quadratic blowup DoS attacks.
processInternalEntity() function now limits entity expansion and
nesting in three ways:

* Entity nesting is limited to three levels of recursion.
* Total length of an entity is limited to 1023 bytes.
* The ratio of entity expansion to processed bytes cannot exceed 1:10.

The mitigation is enabled by default and can be disabled with
XML_SetOptions(parser, XML_OPTION_HUGE_ENTITES).

The xmlwf command has a new option -H to enable huge entities.

The new entity expansion limits cause one test to fail. The XML test
file tests/xmlconf/xmltest/valid/ext-sa/012.xml has five levels of
entity expansion.

Fixes: libexpat#34
Fixes: libexpat#46
Signed-off-by: Christian Heimes <christian@python.org>
tiran added a commit to tiran/libexpat that referenced this issue Sep 21, 2018
@tiran
Limit entity expansion to prevent DoS attacks
8de665d 
libexpat is vulnerable to billion laughs and quadratic blowup DoS attacks.
processInternalEntity() function now limits entity expansion and
nesting in three ways:

* Entity nesting is limited to three levels of recursion.
* Total length of an entity is limited to 1023 bytes.
* The ratio of entity expansion to processed bytes cannot exceed 1:10.

The mitigation is enabled by default and can be disabled with
XML_SetOptions(parser, XML_OPTION_HUGE_ENTITES).

The xmlwf command has a new option -H to enable huge entities.

The new entity expansion limits cause one test to fail. The XML test
file tests/xmlconf/xmltest/valid/ext-sa/012.xml has five levels of
entity expansion.

Fixes: libexpat#34
Fixes: libexpat#46
Signed-off-by: Christian Heimes <christian@python.org>
@hartwork hartwork mentioned this issue Feb 21, 2020
Closed
@hartwork hartwork mentioned this issue Apr 23, 2021
Merged
@hartwork hartwork removed this from the 2.4.0 milestone May 11, 2021
hartwork added a commit that referenced this issue May 11, 2021
@hartwork
Merge pull request #466 from libexpat/protect-against-billion-laughs-…
309cd4a 
…attacks

[CVE-2013-0340, CWE-776] Protect against billion laughs attacks (fixes #34)
halstead pushed a commit to openembedded/openembedded-core that referenced this issue Jul 2, 2021
@Jasper-Ben @sakoman
expat: fix CVE-2013-0340
b0b8437 
expat < 4.0 is vulnerable to billion laughs attacks (see
[libexpat/libexpat#34]). This patch backports
the commits b1d039607d3d8a042bf0466bfcc1c0f104e353c8
and 60959f2b491876199879d97c8ed956eabb0c2e73 from upstream.

Additionally, the SRC_URI had to be adjusted due to renaming of the
source archive

Signed-off-by: Jasper Orschulko <jasper@fancydomain.eu>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
splitice pushed a commit to HalleyAssist/poky that referenced this issue Jul 2, 2021
@Jasper-Ben @rpurdie
expat: fix CVE-2013-0340
8a496e9 
expat < 4.0 is vulnerable to billion laughs attacks (see
[libexpat/libexpat#34]). This patch backports
the commits b1d039607d3d8a042bf0466bfcc1c0f104e353c8
and 60959f2b491876199879d97c8ed956eabb0c2e73 from upstream.

Additionally, the SRC_URI had to be adjusted due to renaming of the
source archive

(From OE-Core rev: b0b843797321360693172c57f2400b9c56ca51cf)

Signed-off-by: Jasper Orschulko <jasper@fancydomain.eu>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
jpuhlman pushed a commit to MontaVista-OpenSourceTechnology/poky that referenced this issue Jul 8, 2021
@Jasper-Ben @jpuhlman
expat: fix CVE-2013-0340
d2aaa2c 
Source: poky
MR: 110389
Type: Integration
Disposition: Merged from poky
ChangeID: 8a496e9eb9f0540cb5c319451413812b7c51caf9
Description:

expat < 4.0 is vulnerable to billion laughs attacks (see
[libexpat/libexpat#34]). This patch backports
the commits b1d039607d3d8a042bf0466bfcc1c0f104e353c8
and 60959f2b491876199879d97c8ed956eabb0c2e73 from upstream.

Additionally, the SRC_URI had to be adjusted due to renaming of the
source archive

(From OE-Core rev: b0b843797321360693172c57f2400b9c56ca51cf)

Signed-off-by: Jasper Orschulko <jasper@fancydomain.eu>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Jeremy Puhlman <jpuhlman@mvista.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement security
Projects
None yet
Milestone
No milestone
3 participants
@kwaclaw @hartwork @andy9a9