Skip Menu |

This queue is for tickets about the XML-Simple CPAN distribution.

Report information
The Basics
Id: 83794
Status: open
Priority: 0/
Queue: XML-Simple

Owner: grantm [...]
Requestors: advisories [...]
Cc: CARNIL [...]
cpan [...]

Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)

CC: <grantm [...]>, <security [...]>
Subject: RE: Vulnerability in XML::Simple
Date: Wed, 6 Mar 2013 20:11:37 -0000
To: "advisories" <advisories [...]>, <bug-XML-Simple [...]>
From: "advisories" <advisories [...]>
Download (untitled) / with headers
text/plain 2.8k
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi there, I'd like to report a vulnerability in XML::Simple which relates to how it handles XML entities both internal and externally defined. I believe this may affect more than simply XML::Simple although I haven't had a chance to create PoC for the implementations of XML parsers on which XML::Simple depends. The Tim Brown Head Of Research Senior Security Consultant Portcullis Computer Security Ltd The Grange Barn, Pike's End, Pinner, Middlesex, HA5 2EX <> Tel: +44 (0)20 8868 0098 Fax: +44 (0)20 8868 0017 Email: <> Show quoted text
> -----Original Message----- > From: Tim M. Brown On Behalf Of advisories > Sent: 06 March 2013 19:57 > To: Grant McLean; advisories > Cc:; > Subject: RE: Vulnerability in XML::Simple > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Acknowledged. This relates to an active issue being > discussed on the oss-security mailing list regarding XML > entity resolution. I will file a bug but we need to move fast. > > Tim >
> > -----Original Message----- > > From: Grant McLean [] > > Sent: 06 March 2013 19:48 > > To: advisories > > Cc:; > > Subject: Re: Vulnerability in XML::Simple > > > > Hi Tim > > > > On Wed, 2013-03-06 at 19:33 +0000, Tim Brown wrote:
> > > Hi all, > > > > > > We have a security advisory that affects the XML::Simple module > > > distributed on CPAN. It is likely that other Perl XML
> modules are
> > > also affected. How would you like to proceed?
> > > > If you've found a problem, then I'd recommend you report it
> via the RT
> > bug queue: > > > > > > > > Regards > > Grant > > > > > > > > > >
> -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (MingW32) > > iQEcBAEBAgAGBQJRN59sAAoJECflJKyfX3/OgtIH/AyvMeJ1vvP887f989SREZMk > m9bPwQxahfIVHKBBtb+yT1QBa+CJrBdZkKljACDGw3qnO6EBNOW8fdK8mMdsYMRL > galJXlXJkcrUUQAA64B7lJNpIyWTVnOfl/dEc5QhvhHUHwBS+g1UqtBBEZUS0+BB > c9uzYu3qPIHsCh/6KHenOijpTrQ56VJg23ShrJ5iLyhW/rSBla3wrz+3ej0Wy5bq > R0l0wKwQkg0viwWtl9AfDt5Ja2DUSdPJr5qzlxDq2QgUWO1wzl/ucxYqHhjxhbYk > y5ZjqCAw2Gq7L8xhZCKFKX3H0KmwRpq2RinyAGPpwr6+Nut0GsbscI3LjEevn3A= > =WG0+ > -----END PGP SIGNATURE----- >
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) iQEcBAEBAgAGBQJRN6LvAAoJECflJKyfX3/OIkwH/24X3qvU2aO++vBt7+tjf0jG yj4j+J0KpV4xKXaWeTrAuStqr7dBSPpy9zlcaspmX0lhqmKMUdDS5CTxz5UCiSeg dxgAKEGbcQQ4MVMMQlO36/ImeaCFnCm56p2vqGtxPyuQ/5KGBVmtvbpKSAqqY3Ua GHhZKXMSLM+ulUtoJ2VwGH5QaSwQDOlUYMebxpEGIwc0/ghPR5ncpMXn323jpf9p uwGcfO8po0l3dPuqCLZ+dCVSl86X+Coc7ldW3ulfr/HlWKRFy0YlWwprQnEBm52k +jMgngKoEsU2OwIxM1U/mj3Va52yzGdxdWnQYvpV69oiK0jXksHkw99MQNAttM0= =GWOd -----END PGP SIGNATURE-----
Download PGPexch.htm
text/html 7.8k

Message body is not shown because sender requested not to inline it.

Download PGPexch.htm.asc
application/pgp-signature 498b

Message body not shown because it is not plain text.

Download (untitled) / with headers
text/plain 1.3k
On Wed Mar 06 15:11:55 2013, wrote: Show quoted text
> I believe > this may affect more than simply XML::Simple although I haven't had a > chance to create PoC for the implementations of XML parsers on which > XML::Simple depends. The
I had been assuming that you were going to follow up with the remainder of this sentence. When you didn't, I looked closer and found that the complete message was in the HTML version of the message but the plain text version that RT and I were looking at was incomplete. XML::Simple delegates the actual parsing of XML to other modules (either XML::Parser or one of the SAX modules). It does appear that most if not all of these parser modules are vulnerable to an entity expansion attack. I have begun communicating with the maintainers of these other modules to investigate what steps we can take to improve default behaviour. A couple of defensive steps that people can take to protect their own systems include: * using resource limits (e.g. ulimit -v) to limit the damage to individual processes rather than exhausting all system memory * have validation routines strip out inline DTD sections from incoming XML documents where they are not expressly permitted, before passing the XML to a parser library Thank you for reporting this issue. Regards Grant McLean

This service is sponsored and maintained by Best Practical Solutions and runs on infrastructure.

Please report any issues with to