Skip Menu |

This queue is for tickets about the Image-Info CPAN distribution.

Report information
The Basics
Id: 118099
Status: resolved
Priority: 0/
Queue: Image-Info

People
Owner: Nobody in particular
Requestors: dmoppert [...] redhat.com
Cc: CARNIL [...] cpan.org
AdminCc:

Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)



Subject: XXE in SVG files
Date: Tue, 27 Sep 2016 14:10:39 +0930
To: bug-Image-Info [...] rt.cpan.org
From: Doran Moppert <dmoppert [...] redhat.com>
See also (Bug #118032) <https://rt.cpan.org/Public/Bug/Display.html?id=118032>. Image::Info::SVG makes no attempt to disable the expansion of XML external entities. If used on untrusted SVG files, an attacker could cause an arbitrary local file to disclosed or cause denial of service by including reference to an HTTP resource. The fix is to pass `expand_entities => 0` to the LibXML constructor. This should probably be the default behaviour, with an explicit option to Image::Info required to turn it back on. Most users will not expect that image_info($somefile) can cause arbitrary open() and connect() calls. This could be considered a breaking change, but the current behaviour is not explicitly documented (and offers no override) so it could make sense for only a minor version bump, which would get more 3rd party code protected sooner. -- Doran Moppert Red Hat Product Security
Download (untitled)
application/pgp-signature 836b

Message body not shown because it is not plain text.

On 2016-09-27 00:41:02, dmoppert@redhat.com wrote: Show quoted text
> See also (Bug #118032) > <https://rt.cpan.org/Public/Bug/Display.html?id=118032>. > > Image::Info::SVG makes no attempt to disable the expansion of XML > external entities. If used on untrusted SVG files, an attacker could > cause an arbitrary local file to disclosed or cause denial of service > by including reference to an HTTP resource. > > The fix is to pass `expand_entities => 0` to the LibXML constructor. > This should probably be the default behaviour, with an explicit option > to Image::Info required to turn it back on. Most users will not expect > that image_info($somefile) can cause arbitrary open() and connect() > calls. > > This could be considered a breaking change, but the current behaviour is > not explicitly documented (and offers no override) so it could make > sense for only a minor version bump, which would get more 3rd party code > protected sooner. >
Thanks, the problem was addressed in the 1.38_50 release. The new release does not offer an option to enable expand_entities, for two reasons: - I did a survey over some SVG files and did not find any using XXE. Of course this does not mean that there are no such files out there, but ... - As Image::Info::SVG has two implementations (XML::LibXML and XML::Simple) it is possible that XXE processing happens or not, depending on the modules installed on the user's system. Especially, if XML::LibXML is not installed, XML::Simple is installed and just XML::SAX::PurePerl is available as a SAX parser XXE processing did not happen in the past.
Subject: Re: [rt.cpan.org #118099] XXE in SVG files
Date: Wed, 5 Oct 2016 10:52:07 +1030
To: Slaven_Rezic via RT <bug-Image-Info [...] rt.cpan.org>
From: Doran Moppert <dmoppert [...] redhat.com>
On Oct 01 2016, Slaven_Rezic via RT wrote: Show quoted text
> <URL: https://rt.cpan.org/Ticket/Display.html?id=118099 > > Thanks, the problem was addressed in the 1.38_50 release.
Oops - sorry, I thought I had tested the current release, but I was looking at an older distro package. Thanks for identifying the version. Show quoted text
> The new release does not offer an option to enable expand_entities, for two reasons: > > - I did a survey over some SVG files and did not find any using XXE. Of course this does not mean that there are no such files out there, but ... > > - As Image::Info::SVG has two implementations (XML::LibXML and XML::Simple) it is possible that XXE processing happens or not, depending on the modules installed on the user's system. Especially, if XML::LibXML is not installed, XML::Simple is installed and just XML::SAX::PurePerl is available as a SAX parser XXE processing did not happen in the past.
I totally agree with your reasoning. In the (very strange) case that a user might want XXE, having to do so in a distinct step doesn't seem like too much of a burden. Thanks for the detailed response! -- Doran Moppert Red Hat Product Security
Subject: Re: [rt.cpan.org #118099] XXE in SVG files
Date: Wed, 5 Oct 2016 11:53:03 +1030
To: Slaven_Rezic via RT <bug-Image-Info [...] rt.cpan.org>
From: Doran Moppert <dmoppert [...] redhat.com>
On Oct 05 2016, Doran Moppert wrote: Show quoted text
> On Oct 01 2016, Slaven_Rezic via RT wrote:
> > <URL: https://rt.cpan.org/Ticket/Display.html?id=118099 > > > Thanks, the problem was addressed in the 1.38_50 release.
> > Oops - sorry, I thought I had tested the current release, but I was > looking at an older distro package. Thanks for identifying the version.
Argh, my mistake - I see you just cut that release. Thanks for the quick response and patch. -- Doran Moppert Red Hat Product Security
On 2016-10-04 21:23:23, dmoppert@redhat.com wrote: Show quoted text
> On Oct 05 2016, Doran Moppert wrote:
> > On Oct 01 2016, Slaven_Rezic via RT wrote:
> > > <URL: https://rt.cpan.org/Ticket/Display.html?id=118099 > > > > Thanks, the problem was addressed in the 1.38_50 release.
> > > > Oops - sorry, I thought I had tested the current release, but I was > > looking at an older distro package. Thanks for identifying the version.
> > Argh, my mistake - I see you just cut that release. Thanks for the > quick response and patch. >
1.39 is released.