Invalid XML security version

Question

Invalid XML security version

fmigneault opened this issue 3 years ago · 6 comments

Description

Since the introduction of #621 and release 4.5.0 in #613, tools that track security/dependency updates like pyup are flagging the following:

An XML external entity (XXE) injection in PyWPS before 4.5.0 allows an attacker to view files on the application server filesystem by assigning a path to the entity. OWSLib 0.24.1 may also be affected. See CVE-2021-39371.

from:
https://pyup.io/repos/github/crim-ca/weaver/commits/?page=1#a586cb79de278fdc33d6eeee5feb6f6233f60a16

Because XML security specific to that issue was handled in #618, which is tagged after in 4.4.5, the requirement should be injection in PyWPS before 4.4.5, an mark the minimum requirement as 4.4.5 rather than 4.5.0.

I would like to have a revision of the security advisory for the lower version for 2 reasons:

Version 4.5.0 introduces some important changes relative to ogc-api, which are not trivial to guarantee backward compatibility with existing services that did not expect them to be there.
According to whichever decision taken from #590, the 4.5.x branch should be either a development branch until 4.6.x or addition of ogc-api should introduce 5.x releases. Either way, 4.5.0 is not a "ready" release (as shown by tests still failing), and suggesting users to fix the XML security should not be done at the same time as new features integration.

Currently, I am receiving a lot of warnings regarding this security issue, and I cannot directly/safely update to 4.5.0 yet until it is properly validated.

Answer 1 · 2021-09-01T18:10:44.000Z

Should be an easy fix by @cehbrecht / @tomkralidis

Answer 2 · 2021-09-09T14:31:22.000Z

@fmigneault I have contacted the author of this CVE. The author will update the CVE with minimum version 4.4.5.

Answer 3 · 2021-09-17T16:40:27.000Z

@cehbrecht

It looks like a change was pushed, but still incorrect (up to 4.5.5 instead of 4.4.5):

https://nvd.nist.gov/vuln/detail/CVE-2021-39371#VulnChangeHistorySection

Changed	CPE Configuration	OR cpe:2.3:a:github:owslib:0.24.1::::::: cpe:2.3:a:osgeo:pywps::::::::* versions up to (excluding) 4.5.0	OR cpe:2.3:a:github:owslib:0.24.1::::::: cpe:2.3:a:osgeo:pywps::::::::* versions up to (excluding) 4.5.5

While editing this, can https://github.com/crim-ca/weaver also be added for minimal 4.0 ?
I'm planning to release a new version with same fix as #616

Answer 4 · 2021-09-20T09:17:00.000Z

@fmigneault ... it looks like the CVE is already corrected with version 4.4.5.

The CVE wasn't opened by me. Do you want to add weaver to the same CVE? Or open a new one?

I have no experience with this. Personally I would say it is a bug in lxml that we all run into ...

Answer 5 · 2021-09-21T15:10:07.000Z

I see the update to 4.4.5.
This is weird, security automation bots don't seem to pick it up and remain stuck on 4.5.0 for some reason.

Weaver can be added to the same CVE since it heavily depends on pywps and OWSLib. I think lxml will not consider it an issue since they provide an option to fix it.

Answer 6 · 2021-09-23T14:13:16.000Z

Weaver can be added to the same CVE since it heavily depends on pywps and OWSLib. I think lxml will not consider it an issue since they provide an option to fix it.

I have contacted the author of the CVE to add weaver.