Bug #118099 for Image-Info: XXE in SVG files

Tue Sep 27 00:41:02 2016 dmoppert [...] redhat.com - Ticket created

Subject:	XXE in SVG files
Date:	Tue, 27 Sep 2016 14:10:39 +0930
To:	bug-Image-Info [...] rt.cpan.org
From:	Doran Moppert <dmoppert [...] redhat.com>

See also (Bug #118032) <https://rt.cpan.org/Public/Bug/Display.html?id=118032>. Image::Info::SVG makes no attempt to disable the expansion of XML external entities. If used on untrusted SVG files, an attacker could cause an arbitrary local file to disclosed or cause denial of service by including reference to an HTTP resource. The fix is to pass `expand_entities => 0` to the LibXML constructor. This should probably be the default behaviour, with an explicit option to Image::Info required to turn it back on. Most users will not expect that image_info($somefile) can cause arbitrary open() and connect() calls. This could be considered a breaking change, but the current behaviour is not explicitly documented (and offers no override) so it could make sense for only a minor version bump, which would get more 3rd party code protected sooner. -- Doran Moppert Red Hat Product Security

Download (untitled)
application/pgp-signature 836b

Message body not shown because it is not plain text.

Sat Oct 01 11:45:04 2016 SREZIC [...] cpan.org - Correspondence added

On 2016-09-27 00:41:02, dmoppert@redhat.com wrote: Show quoted text

> See also (Bug #118032) > <https://rt.cpan.org/Public/Bug/Display.html?id=118032>. > > Image::Info::SVG makes no attempt to disable the expansion of XML > external entities. If used on untrusted SVG files, an attacker could > cause an arbitrary local file to disclosed or cause denial of service > by including reference to an HTTP resource. > > The fix is to pass `expand_entities => 0` to the LibXML constructor. > This should probably be the default behaviour, with an explicit option > to Image::Info required to turn it back on. Most users will not expect > that image_info($somefile) can cause arbitrary open() and connect() > calls. > > This could be considered a breaking change, but the current behaviour is > not explicitly documented (and offers no override) so it could make > sense for only a minor version bump, which would get more 3rd party code > protected sooner. >

Thanks, the problem was addressed in the 1.38_50 release. The new release does not offer an option to enable expand_entities, for two reasons: - I did a survey over some SVG files and did not find any using XXE. Of course this does not mean that there are no such files out there, but ... - As Image::Info::SVG has two implementations (XML::LibXML and XML::Simple) it is possible that XXE processing happens or not, depending on the modules installed on the user's system. Especially, if XML::LibXML is not installed, XML::Simple is installed and just XML::SAX::PurePerl is available as a SAX parser XXE processing did not happen in the past.

Sat Oct 01 11:45:05 2016 The RT System itself - Status changed from 'new' to 'open'

Sat Oct 01 11:45:10 2016 SREZIC [...] cpan.org - Status changed from 'open' to 'patched'

Tue Oct 04 20:22:28 2016 dmoppert [...] redhat.com - Correspondence added

Subject:	Re: [rt.cpan.org #118099] XXE in SVG files
Date:	Wed, 5 Oct 2016 10:52:07 +1030
To:	Slaven_Rezic via RT <bug-Image-Info [...] rt.cpan.org>
From:	Doran Moppert <dmoppert [...] redhat.com>

On Oct 01 2016, Slaven_Rezic via RT wrote: Show quoted text

> <URL: https://rt.cpan.org/Ticket/Display.html?id=118099 > > Thanks, the problem was addressed in the 1.38_50 release.

Oops - sorry, I thought I had tested the current release, but I was looking at an older distro package. Thanks for identifying the version. Show quoted text

> The new release does not offer an option to enable expand_entities, for two reasons: > > - I did a survey over some SVG files and did not find any using XXE. Of course this does not mean that there are no such files out there, but ... > > - As Image::Info::SVG has two implementations (XML::LibXML and XML::Simple) it is possible that XXE processing happens or not, depending on the modules installed on the user's system. Especially, if XML::LibXML is not installed, XML::Simple is installed and just XML::SAX::PurePerl is available as a SAX parser XXE processing did not happen in the past.

I totally agree with your reasoning. In the (very strange) case that a user might want XXE, having to do so in a distinct step doesn't seem like too much of a burden. Thanks for the detailed response! -- Doran Moppert Red Hat Product Security

Tue Oct 04 21:23:23 2016 dmoppert [...] redhat.com - Correspondence added

Subject:	Re: [rt.cpan.org #118099] XXE in SVG files
Date:	Wed, 5 Oct 2016 11:53:03 +1030
To:	Slaven_Rezic via RT <bug-Image-Info [...] rt.cpan.org>
From:	Doran Moppert <dmoppert [...] redhat.com>

On Oct 05 2016, Doran Moppert wrote: Show quoted text

> On Oct 01 2016, Slaven_Rezic via RT wrote:

> > <URL: https://rt.cpan.org/Ticket/Display.html?id=118099 > > > Thanks, the problem was addressed in the 1.38_50 release.

> > Oops - sorry, I thought I had tested the current release, but I was > looking at an older distro package. Thanks for identifying the version.

Argh, my mistake - I see you just cut that release. Thanks for the quick response and patch. -- Doran Moppert Red Hat Product Security

Sat Oct 08 05:04:50 2016 SREZIC [...] cpan.org - Correspondence added

On 2016-10-04 21:23:23, dmoppert@redhat.com wrote: Show quoted text

> On Oct 05 2016, Doran Moppert wrote:

> > On Oct 01 2016, Slaven_Rezic via RT wrote:

> > > <URL: https://rt.cpan.org/Ticket/Display.html?id=118099 > > > > Thanks, the problem was addressed in the 1.38_50 release.

> > > > Oops - sorry, I thought I had tested the current release, but I was > > looking at an older distro package. Thanks for identifying the version.

> > Argh, my mistake - I see you just cut that release. Thanks for the > quick response and patch. >

1.39 is released.

Sat Oct 08 05:04:51 2016 SREZIC [...] cpan.org - Status changed from 'patched' to 'resolved'

Wed Nov 02 01:41:13 2016 CARNIL [...] cpan.org - Cc CARNIL added