Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[CVE-2022-25236] lib: Protect against insertion of namesep characters into namespace URIs #561

Merged
merged 4 commits into from
Feb 18, 2022

Conversation

hartwork
Copy link
Member

No description provided.

@hartwork hartwork added this to the 2.4.5 milestone Feb 15, 2022
@hartwork hartwork mentioned this pull request Feb 15, 2022
27 tasks
@hartwork
Copy link
Member Author

CVE requested from Mitre just now.

@hartwork
Copy link
Member Author

Received CVE-2022-25236.

@hartwork hartwork changed the title Protect against insertion of namesep characters into namespace URIs [CVE-2022-25236] lib: Protect against insertion of namesep characters into namespace URIs Feb 16, 2022
@hartwork hartwork merged commit 2cc97e8 into master Feb 18, 2022
@hartwork hartwork deleted the namesep-security branch February 18, 2022 17:02
sebageek added a commit to sapcc/asr1k-neutron-l3 that referenced this pull request Feb 28, 2022
Newer version of libexpat have a mitigation for CVE-2022-25236 in place,
which disallows the use of certain characters as namespace separators
(to my understanding this is the separator used to separate namespace
and tag name in the parsed xml output we receive from the library). We
implicitly use libexpat via xmltodict.parse(), xmltodict uses a default
of ':', which now is invalid. Using ':' as separator results in the
following exception:

xml.parsers.expat.ExpatError: out of memory: line 1, column 0

This can also be reproduced with this python snippet:

xmltodict.parse("<foo></foo>", process_namespaces=True)

To mitigate this we need to use a different separator. xmltodict.parse()
exposes this as an argument, so passing namespace_separator=' ' (as
recommended by libexpat as a char that is not part of an url, see bug
reports below or CVE) solves the problem for us. From what I can see
this also doesn't require any other changes on our side.

Relevant change in libexpat:
 * libexpat/libexpat#561

Relevant bugreports:
 * libexpat/libexpat#572
 * martinblech/xmltodict#289
sebageek added a commit to sapcc/asr1k-neutron-l3 that referenced this pull request Feb 28, 2022
Newer version of libexpat have a mitigation for CVE-2022-25236 in place,
which disallows the use of certain characters as namespace separators
(to my understanding this is the separator used to separate namespace
and tag name in the parsed xml output we receive from the library). We
implicitly use libexpat via xmltodict.parse(), xmltodict uses a default
of ':', which now is invalid. Using ':' as separator results in the
following exception:

xml.parsers.expat.ExpatError: out of memory: line 1, column 0

This can also be reproduced with this python snippet:

xmltodict.parse("<foo></foo>", process_namespaces=True)

To mitigate this we need to use a different separator. xmltodict.parse()
exposes this as an argument, so passing namespace_separator=' ' (as
recommended by libexpat as a char that is not part of an url, see bug
reports below or CVE) solves the problem for us. From what I can see
this also doesn't require any other changes on our side.

Relevant change in libexpat:
 * libexpat/libexpat#561

Relevant bugreports:
 * libexpat/libexpat#572
 * martinblech/xmltodict#289
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant