Skip Menu |

This queue is for tickets about the XML-Simple CPAN distribution.

Report information
The Basics
Id: 83794
Status: open
Priority: 0/
Queue: XML-Simple
People
Owner: grantm [...] cpan.org
Requestors: advisories [...] portcullis-security.com
Cc: CARNIL [...] cpan.org
cpan [...] zoffix.com
AdminCc:
Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)
Attachments
PGPexch.htm
PGPexch.htm.asc

History Show all quoted text
  Wed Mar 06 15:11:55 2013 advisories [...] portcullis-security.com - Ticket created
CC: <grantm [...] cpan.org>, <security [...] perl.org>
Subject: RE: Vulnerability in XML::Simple
Date: Wed, 6 Mar 2013 20:11:37 -0000
To: "advisories" <advisories [...] portcullis-security.com>, <bug-XML-Simple [...] rt.cpan.org>
From: "advisories" <advisories [...] portcullis-security.com>
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi there, I'd like to report a vulnerability in XML::Simple which relates to how it handles XML entities both internal and externally defined. I believe this may affect more than simply XML::Simple although I haven't had a chance to create PoC for the implementations of XML parsers on which XML::Simple depends. The Tim Brown Head Of Research Senior Security Consultant Portcullis Computer Security Ltd The Grange Barn, Pike's End, Pinner, Middlesex, HA5 2EX http://www.portcullis-security.com/ <http://www.portcullis-security.com/> Tel: +44 (0)20 8868 0098 Fax: +44 (0)20 8868 0017 Email: advisories@portcullis-security.com <mailto:advisories@portcullis-security.com> Show quoted text
> -----Original Message----- > From: Tim M. Brown On Behalf Of advisories > Sent: 06 March 2013 19:57 > To: Grant McLean; advisories > Cc: grantm@cpan.org; security@perl.org > Subject: RE: Vulnerability in XML::Simple > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Acknowledged. This relates to an active issue being > discussed on the oss-security mailing list regarding XML > entity resolution. I will file a bug but we need to move fast. > > Tim >
> > -----Original Message----- > > From: Grant McLean [mailto:grant@mclean.net.nz] > > Sent: 06 March 2013 19:48 > > To: advisories > > Cc: grantm@cpan.org; security@perl.org > > Subject: Re: Vulnerability in XML::Simple > > > > Hi Tim > > > > On Wed, 2013-03-06 at 19:33 +0000, Tim Brown wrote:
> > > Hi all, > > > > > > We have a security advisory that affects the XML::Simple module > > > distributed on CPAN. It is likely that other Perl XML
> modules are
> > > also affected. How would you like to proceed?
> > > > If you've found a problem, then I'd recommend you report it
> via the RT
> > bug queue: > > > > https://rt.cpan.org/Public/Bug/Report.html?Queue=XML-Simple > > > > Regards > > Grant > > > > > > > > > >
> -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (MingW32) > > iQEcBAEBAgAGBQJRN59sAAoJECflJKyfX3/OgtIH/AyvMeJ1vvP887f989SREZMk > m9bPwQxahfIVHKBBtb+yT1QBa+CJrBdZkKljACDGw3qnO6EBNOW8fdK8mMdsYMRL > galJXlXJkcrUUQAA64B7lJNpIyWTVnOfl/dEc5QhvhHUHwBS+g1UqtBBEZUS0+BB > c9uzYu3qPIHsCh/6KHenOijpTrQ56VJg23ShrJ5iLyhW/rSBla3wrz+3ej0Wy5bq > R0l0wKwQkg0viwWtl9AfDt5Ja2DUSdPJr5qzlxDq2QgUWO1wzl/ucxYqHhjxhbYk > y5ZjqCAw2Gq7L8xhZCKFKX3H0KmwRpq2RinyAGPpwr6+Nut0GsbscI3LjEevn3A= > =WG0+ > -----END PGP SIGNATURE----- >
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) iQEcBAEBAgAGBQJRN6LvAAoJECflJKyfX3/OIkwH/24X3qvU2aO++vBt7+tjf0jG yj4j+J0KpV4xKXaWeTrAuStqr7dBSPpy9zlcaspmX0lhqmKMUdDS5CTxz5UCiSeg dxgAKEGbcQQ4MVMMQlO36/ImeaCFnCm56p2vqGtxPyuQ/5KGBVmtvbpKSAqqY3Ua GHhZKXMSLM+ulUtoJ2VwGH5QaSwQDOlUYMebxpEGIwc0/ghPR5ncpMXn323jpf9p uwGcfO8po0l3dPuqCLZ+dCVSl86X+Coc7ldW3ulfr/HlWKRFy0YlWwprQnEBm52k +jMgngKoEsU2OwIxM1U/mj3Va52yzGdxdWnQYvpV69oiK0jXksHkw99MQNAttM0= =GWOd -----END PGP SIGNATURE-----

Message body is not shown because sender requested not to inline it.

Download PGPexch.htm.asc
application/pgp-signature 498b

Message body not shown because it is not plain text.

  Thu Mar 07 15:23:49 2013 grantm [...] cpan.org - Correspondence added
On Wed Mar 06 15:11:55 2013, advisories@portcullis-security.com wrote: Show quoted text
> I believe > this may affect more than simply XML::Simple although I haven't had a > chance to create PoC for the implementations of XML parsers on which > XML::Simple depends. The
I had been assuming that you were going to follow up with the remainder of this sentence. When you didn't, I looked closer and found that the complete message was in the HTML version of the message but the plain text version that RT and I were looking at was incomplete. XML::Simple delegates the actual parsing of XML to other modules (either XML::Parser or one of the SAX modules). It does appear that most if not all of these parser modules are vulnerable to an entity expansion attack. I have begun communicating with the maintainers of these other modules to investigate what steps we can take to improve default behaviour. A couple of defensive steps that people can take to protect their own systems include: * using resource limits (e.g. ulimit -v) to limit the damage to individual processes rather than exhausting all system memory * have validation routines strip out inline DTD sections from incoming XML documents where they are not expressly permitted, before passing the XML to a parser library Thank you for reporting this issue. Regards Grant McLean
  Thu Mar 07 15:23:49 2013 The RT System itself - Status changed from 'new' to 'open'
  Thu Mar 07 15:23:58 2013 grantm [...] cpan.org - Taken
  Sat Mar 09 10:01:10 2013 CARNIL [...] cpan.org - Cc CARNIL added
  Sun Feb 02 17:58:48 2014 cpan [...] zoffix.com - Cc ZOFFIX added