Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

CVE-2017-1000190: XXE vulnerability resulting in SSRF, information disclosure, DoS, etc.

Related Vulnerabilities: CVE-2017-1000190  

Source

Debian Bug report logs - #888547
CVE-2017-1000190: XXE vulnerability resulting in SSRF, information disclosure, DoS, etc.

version graph

Package: src:simple-xml; Maintainer for src:simple-xml is Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>;

Reported by: Moritz Muehlenhoff <jmm@debian.org>

Date: Fri, 26 Jan 2018 23:18:05 UTC

Severity: grave

Tags: security, upstream

Found in version simple-xml/2.7.1-1

Forwarded to https://github.com/ngallagher/simplexml/issues/18

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#888547; Package src:simple-xml. (Fri, 26 Jan 2018 23:18:07 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>. (Fri, 26 Jan 2018 23:18:07 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2017-1000190
Date: Sat, 27 Jan 2018 00:14:19 +0100
Source: simple-xml
Severity: important
Tags: security

CVE-2017-1000190 has been assigned to this bug in simple-xml:
https://github.com/ngallagher/simplexml/issues/18

Cheers,
        Moritz

Marked as found in versions simple-xml/2.7.1-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sat, 27 Jan 2018 07:33:03 GMT) (full text, mbox, link).

Set Bug forwarded-to-address to 'https://github.com/ngallagher/simplexml/issues/18'. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sat, 27 Jan 2018 07:33:04 GMT) (full text, mbox, link).

Added tag(s) upstream. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sat, 27 Jan 2018 07:33:05 GMT) (full text, mbox, link).

Severity set to 'grave' from 'important' Request was from Moritz Muehlenhoff <jmm@debian.org> to control@bugs.debian.org. (Mon, 30 Apr 2018 22:51:07 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#888547; Package src:simple-xml. (Thu, 23 Aug 2018 11:18:03 GMT) (full text, mbox, link).

Acknowledgement sent to Markus Koschany <apo@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>. (Thu, 23 Aug 2018 11:18:03 GMT) (full text, mbox, link).

Message #18 received at 888547@bugs.debian.org (full text, mbox, reply):

From: Markus Koschany <apo@debian.org>
To: 888547@bugs.debian.org
Subject: Re: CVE-2017-1000190
Date: Thu, 23 Aug 2018 13:14:17 +0200
[Message part 1 (text/plain, inline)]
Apparently upstream doesn't consider this "to be their problem". Since
simple-xml has no reverse-dependencies and the current uploader is MIA,
I think we should consider requesting the removal of simple-xml.

Markus


[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#888547; Package src:simple-xml. (Thu, 23 Aug 2018 13:57:03 GMT) (full text, mbox, link).

Acknowledgement sent to Emmanuel Bourg <ebourg@apache.org>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>. (Thu, 23 Aug 2018 13:57:03 GMT) (full text, mbox, link).

Message #23 received at 888547@bugs.debian.org (full text, mbox, reply):

From: Emmanuel Bourg <ebourg@apache.org>
To: 888547@bugs.debian.org
Subject: Re: CVE-2017-1000190
Date: Thu, 23 Aug 2018 15:55:22 +0200
On 23/08/2018 13:14, Markus Koschany wrote:
> Apparently upstream doesn't consider this "to be their problem". Since
> simple-xml has no reverse-dependencies and the current uploader is MIA,
> I think we should consider requesting the removal of simple-xml.

simple-xml is a dependency of carrotsearch-randomizedtesting.

The fix should be trivial, it's just a matter of disabling external
entities parsing on the underlying XML parser. And maybe we've already
fixed the XML parser used by default.

Emmanuel Bourg

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#888547; Package src:simple-xml. (Thu, 23 Aug 2018 15:15:03 GMT) (full text, mbox, link).

Acknowledgement sent to Markus Koschany <apo@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>. (Thu, 23 Aug 2018 15:15:03 GMT) (full text, mbox, link).

Message #28 received at 888547@bugs.debian.org (full text, mbox, reply):

From: Markus Koschany <apo@debian.org>
To: 888547@bugs.debian.org
Subject: Re: Bug#888547: CVE-2017-1000190
Date: Thu, 23 Aug 2018 17:11:11 +0200
[Message part 1 (text/plain, inline)]
Am 23.08.2018 um 15:55 schrieb Emmanuel Bourg:
> On 23/08/2018 13:14, Markus Koschany wrote:
>> Apparently upstream doesn't consider this "to be their problem". Since
>> simple-xml has no reverse-dependencies and the current uploader is MIA,
>> I think we should consider requesting the removal of simple-xml.
> 
> simple-xml is a dependency of carrotsearch-randomizedtesting.
> 
> The fix should be trivial, it's just a matter of disabling external
> entities parsing on the underlying XML parser. And maybe we've already
> fixed the XML parser used by default.

My concern is that we have an upstream project that does not even
consider such a trivial fix. Then we have another example of a
fire-and-forget one time upload (simple-xml) and now the package is
carried "by the team". carrotsearch-randomizedtesting is a
test-dependency for lucence4.10 and spatial4j, same pattern, one time
upload, now carried by the team. And when I see that we ship at least
three versions of lucene in Debian, then I suppose we still have some
room for improvements.

The gist is: Better maintain few packages and do it well, instead of
maintaining many packages that just exist for collecting RC bugs.

Markus


[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#888547; Package src:simple-xml. (Thu, 23 Aug 2018 23:21:03 GMT) (full text, mbox, link).

Acknowledgement sent to Emmanuel Bourg <ebourg@apache.org>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>. (Thu, 23 Aug 2018 23:21:03 GMT) (full text, mbox, link).

Message #33 received at 888547@bugs.debian.org (full text, mbox, reply):

From: Emmanuel Bourg <ebourg@apache.org>
To: 888547@bugs.debian.org
Subject: Re: Bug#888547: CVE-2017-1000190
Date: Fri, 24 Aug 2018 01:18:09 +0200
On 23/08/2018 17:11, Markus Koschany wrote:

> My concern is that we have an upstream project that does not even
> consider such a trivial fix. Then we have another example of a
> fire-and-forget one time upload (simple-xml) and now the package is
> carried "by the team". carrotsearch-randomizedtesting is a
> test-dependency for lucence4.10 and spatial4j, same pattern, one time
> upload, now carried by the team. And when I see that we ship at least
> three versions of lucene in Debian, then I suppose we still have some
> room for improvements.

lucene2 is only used by eclipse, I hope we'll be able to remove both of
them before Buster is released. With the new eclipse-* packages heading
to unstable this is now a likely outcome.


> The gist is: Better maintain few packages and do it well, instead of
> maintaining many packages that just exist for collecting RC bugs.

I agree. Not all CVEs are equally important though, here simple-xml is
just a test dependency of another package and has a very low popcon, the
vulnerability has no real impact on the Debian users.

Emmanuel Bourg

Changed Bug title to 'CVE-2017-1000190: XXE vulnerability resulting in SSRF, information disclosure, DoS, etc.' from 'CVE-2017-1000190'. Request was from "Chris Lamb" <lamby@debian.org> to control@bugs.debian.org. (Sun, 07 Apr 2019 15:21:07 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#888547; Package src:simple-xml. (Sat, 13 Apr 2019 09:33:03 GMT) (full text, mbox, link).

Acknowledgement sent to Ivo De Decker <ivodd@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>. (Sat, 13 Apr 2019 09:33:03 GMT) (full text, mbox, link).

Message #40 received at 888547@bugs.debian.org (full text, mbox, reply):

From: Ivo De Decker <ivodd@debian.org>
To: Emmanuel Bourg <ebourg@apache.org>
Cc: 888547@bugs.debian.org
Subject: Re: Bug#888547: CVE-2017-1000190
Date: Sat, 13 Apr 2019 11:31:09 +0200
Hi,

On Fri, Aug 24, 2018 at 01:18:09AM +0200, Emmanuel Bourg wrote:
> On 23/08/2018 17:11, Markus Koschany wrote:
> 
> > My concern is that we have an upstream project that does not even
> > consider such a trivial fix. Then we have another example of a
> > fire-and-forget one time upload (simple-xml) and now the package is
> > carried "by the team". carrotsearch-randomizedtesting is a
> > test-dependency for lucence4.10 and spatial4j, same pattern, one time
> > upload, now carried by the team. And when I see that we ship at least
> > three versions of lucene in Debian, then I suppose we still have some
> > room for improvements.
> 
> lucene2 is only used by eclipse, I hope we'll be able to remove both of
> them before Buster is released. With the new eclipse-* packages heading
> to unstable this is now a likely outcome.
> 
> 
> > The gist is: Better maintain few packages and do it well, instead of
> > maintaining many packages that just exist for collecting RC bugs.
> 
> I agree. Not all CVEs are equally important though, here simple-xml is
> just a test dependency of another package and has a very low popcon, the
> vulnerability has no real impact on the Debian users.

It is possible to remove the test-dependency (probably by disabling the
tests)? That way simple-xml could be removed from buster. Even if we don't do
this for buster, it might be good to do this for bullseye anyway, if the
package isn't really maintained.

Thanks,

Ivo

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#888547; Package src:simple-xml. (Sun, 14 Apr 2019 21:30:03 GMT) (full text, mbox, link).

Acknowledgement sent to Markus Koschany <apo@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>. (Sun, 14 Apr 2019 21:30:03 GMT) (full text, mbox, link).

Message #45 received at 888547@bugs.debian.org (full text, mbox, reply):

From: Markus Koschany <apo@debian.org>
To: Ivo De Decker <ivodd@debian.org>
Cc: 888547@bugs.debian.org, Emmanuel Bourg <ebourg@apache.org>
Subject: Re: Bug#888547: CVE-2017-1000190
Date: Sun, 14 Apr 2019 23:27:12 +0200
[Message part 1 (text/plain, inline)]
Hi,

Am 13.04.19 um 11:31 schrieb Ivo De Decker:
[...]
> It is possible to remove the test-dependency (probably by disabling the
> tests)? That way simple-xml could be removed from buster. Even if we don't do
> this for buster, it might be good to do this for bullseye anyway, if the
> package isn't really maintained.

Simple-xml is only required to build carrotsearch-randomizedtesting. It
is not a test-dependency though. However I have just disabled the only
module in carrotsearch-randomizedtesting that uses simple-xml, which is
junit4-ant.

If we do that then lucene4.10 will FTBFS but it requires only a simple
patch to tell the build system not to look for the now missing
junit4-ant dependency. Apparently the removal makes no difference for
lucene4.10. I can implement those changes in the coming days.

Regards,

Markus


[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#888547; Package src:simple-xml. (Sun, 14 Apr 2019 22:06:03 GMT) (full text, mbox, link).

Acknowledgement sent to Emmanuel Bourg <ebourg@apache.org>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>. (Sun, 14 Apr 2019 22:06:03 GMT) (full text, mbox, link).

Message #50 received at 888547@bugs.debian.org (full text, mbox, reply):

From: Emmanuel Bourg <ebourg@apache.org>
To: Markus Koschany <apo@debian.org>, Ivo De Decker <ivodd@debian.org>
Cc: 888547@bugs.debian.org
Subject: Re: Bug#888547: CVE-2017-1000190
Date: Sun, 14 Apr 2019 23:57:26 +0200
Le 14/04/2019 à 23:27, Markus Koschany a écrit :

> Simple-xml is only required to build carrotsearch-randomizedtesting. It
> is not a test-dependency though.

> Apparently the removal makes no difference for lucene4.10.

Indeed, because carrotsearch-randomizedtesting is just a test dependency
of lucene4.10.

Emmanuel Bourg

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#888547; Package src:simple-xml. (Mon, 22 Apr 2019 10:21:02 GMT) (full text, mbox, link).

Acknowledgement sent to Ivo De Decker <ivodd@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>. (Mon, 22 Apr 2019 10:21:02 GMT) (full text, mbox, link).

Message #55 received at 888547@bugs.debian.org (full text, mbox, reply):

From: Ivo De Decker <ivodd@debian.org>
To: Emmanuel Bourg <ebourg@apache.org>
Cc: Markus Koschany <apo@debian.org>, Ivo De Decker <ivodd@debian.org>, 888547@bugs.debian.org
Subject: Re: Bug#888547: CVE-2017-1000190
Date: Mon, 22 Apr 2019 12:19:14 +0200
Hi,

On Sun, Apr 14, 2019 at 11:57:26PM +0200, Emmanuel Bourg wrote:
> Le 14/04/2019 à 23:27, Markus Koschany a écrit :
> 
> > Simple-xml is only required to build carrotsearch-randomizedtesting. It
> > is not a test-dependency though.
> 
> > Apparently the removal makes no difference for lucene4.10.
> 
> Indeed, because carrotsearch-randomizedtesting is just a test dependency
> of lucene4.10.

Thanks for the changes allowing simple-xml to be removed. I added a removal
hint so simple-xml should be out of testing soon.

Ivo

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 17:37:14 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started