-
Notifications
You must be signed in to change notification settings - Fork 436
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Help protect against billion laughs attack (for when XML entities need to be supported) #34
Comments
Hello everyone, Thanks |
For a quick reply: it's not something we could just apply and merge without risk of breaking things and without additional resources. |
I should mention that this new feature should have dedicated tests and there are none, yet. |
Isnt the usual mitigation to disable DTD processing?
…On Mon, Jul 30, 2018, 14:24 Sebastian Pipping, ***@***.***> wrote:
For a quick reply: it's not something we could just apply and merge
without risk of breaking things and without additional resources.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#34 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAoAqh8n96CEIxE3Q-GuubZ2WEy58cgjks5uL09dgaJpZM4Nr_aB>
.
|
Could it be that you're referring to disabling support for external entities here? |
Dont you need DTD processing turned on to expand entities? I remember from way back that for Expat the simple remedy for the million XXX attack was to disable DTD processing. See https://blog.didierstevens.com/2008/09/23/dismantling-an-xml-bomb/. |
I believe you do, yes. Turning DTD off is simple but not nice. |
I also remember that at one time we had discussed to rework the memory allocation functions so that we could track the memory allocated for the parser instance. That would have allowed us to simply stop when a specific threshold was exceeded. |
I think we have discussed that before and I remember just tracking memory usage was too simple in some regard. Would need to look it up. |
libexpat is vulnerable to billion laughs and quadratic blowup DoS attacks. processInternalEntity() function now limits entity expansion and nesting in three ways: * Entity nesting is limited to three levels of recursion. * Total length of an entity is limited to 1023 bytes. * The ratio of entity expansion to processed bytes cannot exceed 1:10. The mitigation is enabled by default and can be disabled with XML_SetOptions(parser, XML_OPTION_HUGE_ENTITES). The xmlwf command has a new option -H to enable huge entities. The new entity expansion limits cause one test to fail. The XML test file tests/xmlconf/xmltest/valid/ext-sa/012.xml has five levels of entity expansion. Fixes: libexpat#34 Fixes: libexpat#46 Signed-off-by: Christian Heimes <christian@python.org>
libexpat is vulnerable to billion laughs and quadratic blowup DoS attacks. processInternalEntity() function now limits entity expansion and nesting in three ways: * Entity nesting is limited to three levels of recursion. * Total length of an entity is limited to 1023 bytes. * The ratio of entity expansion to processed bytes cannot exceed 1:10. The mitigation is enabled by default and can be disabled with XML_SetOptions(parser, XML_OPTION_HUGE_ENTITES). The xmlwf command has a new option -H to enable huge entities. The new entity expansion limits cause one test to fail. The XML test file tests/xmlconf/xmltest/valid/ext-sa/012.xml has five levels of entity expansion. Fixes: libexpat#34 Fixes: libexpat#46 Signed-off-by: Christian Heimes <christian@python.org>
libexpat is vulnerable to billion laughs and quadratic blowup DoS attacks. processInternalEntity() function now limits entity expansion and nesting in three ways: * Entity nesting is limited to three levels of recursion. * Total length of an entity is limited to 1023 bytes. * The ratio of entity expansion to processed bytes cannot exceed 1:10. The mitigation is enabled by default and can be disabled with XML_SetOptions(parser, XML_OPTION_HUGE_ENTITES). The xmlwf command has a new option -H to enable huge entities. The new entity expansion limits cause one test to fail. The XML test file tests/xmlconf/xmltest/valid/ext-sa/012.xml has five levels of entity expansion. Fixes: libexpat#34 Fixes: libexpat#46 Signed-off-by: Christian Heimes <christian@python.org>
libexpat is vulnerable to billion laughs and quadratic blowup DoS attacks. processInternalEntity() function now limits entity expansion and nesting in three ways: * Entity nesting is limited to three levels of recursion. * Total length of an entity is limited to 1023 bytes. * The ratio of entity expansion to processed bytes cannot exceed 1:10. The mitigation is enabled by default and can be disabled with XML_SetOptions(parser, XML_OPTION_HUGE_ENTITES). The xmlwf command has a new option -H to enable huge entities. The new entity expansion limits cause one test to fail. The XML test file tests/xmlconf/xmltest/valid/ext-sa/012.xml has five levels of entity expansion. Fixes: libexpat#34 Fixes: libexpat#46 Signed-off-by: Christian Heimes <christian@python.org>
libexpat is vulnerable to billion laughs and quadratic blowup DoS attacks. processInternalEntity() function now limits entity expansion and nesting in three ways: * Entity nesting is limited to three levels of recursion. * Total length of an entity is limited to 1023 bytes. * The ratio of entity expansion to processed bytes cannot exceed 1:10. The mitigation is enabled by default and can be disabled with XML_SetOptions(parser, XML_OPTION_HUGE_ENTITES). The xmlwf command has a new option -H to enable huge entities. The new entity expansion limits cause one test to fail. The XML test file tests/xmlconf/xmltest/valid/ext-sa/012.xml has five levels of entity expansion. Fixes: libexpat#34 Fixes: libexpat#46 Signed-off-by: Christian Heimes <christian@python.org>
libexpat is vulnerable to billion laughs and quadratic blowup DoS attacks. processInternalEntity() function now limits entity expansion and nesting in three ways: * Entity nesting is limited to three levels of recursion. * Total length of an entity is limited to 1023 bytes. * The ratio of entity expansion to processed bytes cannot exceed 1:10. The mitigation is enabled by default and can be disabled with XML_SetOptions(parser, XML_OPTION_HUGE_ENTITES). The xmlwf command has a new option -H to enable huge entities. The new entity expansion limits cause one test to fail. The XML test file tests/xmlconf/xmltest/valid/ext-sa/012.xml has five levels of entity expansion. Fixes: libexpat#34 Fixes: libexpat#46 Signed-off-by: Christian Heimes <christian@python.org>
…attacks [CVE-2013-0340, CWE-776] Protect against billion laughs attacks (fixes #34)
expat < 4.0 is vulnerable to billion laughs attacks (see [libexpat/libexpat#34]). This patch backports the commits b1d039607d3d8a042bf0466bfcc1c0f104e353c8 and 60959f2b491876199879d97c8ed956eabb0c2e73 from upstream. Additionally, the SRC_URI had to be adjusted due to renaming of the source archive Signed-off-by: Jasper Orschulko <jasper@fancydomain.eu> Signed-off-by: Steve Sakoman <steve@sakoman.com>
expat < 4.0 is vulnerable to billion laughs attacks (see [libexpat/libexpat#34]). This patch backports the commits b1d039607d3d8a042bf0466bfcc1c0f104e353c8 and 60959f2b491876199879d97c8ed956eabb0c2e73 from upstream. Additionally, the SRC_URI had to be adjusted due to renaming of the source archive (From OE-Core rev: b0b843797321360693172c57f2400b9c56ca51cf) Signed-off-by: Jasper Orschulko <jasper@fancydomain.eu> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Source: poky MR: 110389 Type: Integration Disposition: Merged from poky ChangeID: 8a496e9eb9f0540cb5c319451413812b7c51caf9 Description: expat < 4.0 is vulnerable to billion laughs attacks (see [libexpat/libexpat#34]). This patch backports the commits b1d039607d3d8a042bf0466bfcc1c0f104e353c8 and 60959f2b491876199879d97c8ed956eabb0c2e73 from upstream. Additionally, the SRC_URI had to be adjusted due to renaming of the source archive (From OE-Core rev: b0b843797321360693172c57f2400b9c56ca51cf) Signed-off-by: Jasper Orschulko <jasper@fancydomain.eu> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Jeremy Puhlman <jpuhlman@mvista.com>
(The latest version of) https://github.com/tiran/expat_cvs/commits/xmlbomb should be assessed for integratability.
Branch
defusedexpat-2.1.0
in here has his patch (with path fixes to match our file layout) for more convenient inspection.The text was updated successfully, but these errors were encountered: