[Secure-testing-team] Bug#700950: CVE-2013-0280: Ignore XML entities
Thomas Goirand
zigo at debian.org
Tue Feb 19 16:05:29 UTC 2013
Package: cinder
Version: 2012.2.3-1
Severity: grave
Tags: security
Jonathan Murray from NCC Group, Joshua Harlow from Yahoo! and Stuart Stent
independently reported a vulnerability in the parsing of XML requests in
Keystone, Nova and Cinder. By using entities in XML requests, an
unauthenticated attacker may consume excessive resources on the Keystone, Nova
or Cinder API servers, resulting in a denial of service and potentially a
crash. Authenticated attackers may also leverage XML entities to read the
content of a local file on the Keystone API server. This only affects servers
with XML support enabled.
Adds a new utils.safe_minidom_parse_string function and updates external API
facing Cinder modules to use it. This ensures we have safe defaults on our
incoming API XML parsing.
Internally safe_minidom_parse_string uses a ProtectedExpatParser class to
disable DTDs and entities from being parsed when using minidom.
Patched version is ready, upload will happen after it is accepted by the
FTP masters and leaves the NEW queue.
Thomas Goirand (zigo)
More information about the Secure-testing-team
mailing list