[Openstack-security] [Bug 1534284] Re: keystoneclient should not use etree XML parsing
Tristan Cacqueray
tdecacqu at redhat.com
Tue Jan 19 16:45:26 UTC 2016
I've removed the privacy settings and put the OSSA task as Won't Fix
based on above comments. This can be put back to incomplete if the
situation changes.
** Description changed:
- This issue is being treated as a potential security risk under embargo.
- Please do not make any public mention of embargoed (private) security
- vulnerabilities before their coordinated publication by the OpenStack
- Vulnerability Management Team in the form of an official OpenStack
- Security Advisory. This includes discussion of the bug or associated
- fixes in public forums such as mailing lists, code review systems and
- bug trackers. Please also avoid private disclosure to other individuals
- not already approved for access to this information, and provide this
- same reminder to those who are made aware of the issue prior to
- publication. All discussion should remain confined to this private bug
- report, and any proposed fixes should be added to the bug as
- attachments.
-
- --
-
XML parsing is surprisingly difficult and fraught with danger, for
example entity expansion makes it easy to cause a lot of memory to be
used and therefore crash your system. keystoneclient is using etree
parsing which has these potential issues, although in the case of
keystoneclient it's the response from the IdP which I think is generally
trusted.
This is in python-keystoneclient/keystoneclient/contrib/auth/v3/saml2.py
There's a defusedxml parser that has protections against these attacks
and should therefore be used instead if possible -
https://pypi.python.org/pypi/defusedxml - the docs for this page also
include some examples of other possible attacks.
This was caught by bandit 0.17.0.
I'm going to start this out as private security so we can think about it
some more before it goes public, even though it's probably not something
that needs an issue since I think the source is generally trusted. If
you can't trust your IdP then who can you trust?
** Changed in: ossa
Status: Incomplete => Won't Fix
** Information type changed from Private Security to Public
** Tags added: security
--
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1534284
Title:
keystoneclient should not use etree XML parsing
Status in keystoneauth:
New
Status in OpenStack Security Advisory:
Won't Fix
Status in python-keystoneclient:
New
Bug description:
XML parsing is surprisingly difficult and fraught with danger, for
example entity expansion makes it easy to cause a lot of memory to be
used and therefore crash your system. keystoneclient is using etree
parsing which has these potential issues, although in the case of
keystoneclient it's the response from the IdP which I think is
generally trusted.
This is in python-
keystoneclient/keystoneclient/contrib/auth/v3/saml2.py
There's a defusedxml parser that has protections against these attacks
and should therefore be used instead if possible -
https://pypi.python.org/pypi/defusedxml - the docs for this page also
include some examples of other possible attacks.
This was caught by bandit 0.17.0.
I'm going to start this out as private security so we can think about
it some more before it goes public, even though it's probably not
something that needs an issue since I think the source is generally
trusted. If you can't trust your IdP then who can you trust?
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystoneauth/+bug/1534284/+subscriptions
More information about the Openstack-security
mailing list