XML Library Flaw — Sun, Apache, GNOME Affected 140
bednarz writes with this excerpt from Network World:
"Vulnerabilities discovered in XML libraries from Sun, the Apache Software Foundation, the Python Software Foundation and the GNOME Project could result in successful denial-of-service attacks on applications built with them, according to Codenomicon. The security vendor found flaws in XML parsers that made it fairly easy to cause a DoS attack, corruption of data, and delivery of a malicious payload using XML-based content. Codenomicon has shared its findings with industry and the open source groups, and a number of recommendations and patches for the XML-related vulnerabilities are expected to be made available Wednesday. In addition, a general security advisory is expected to be published by the Computer Emergency Response Team in Finland (CERT-FI)."
ASCII Delimited Security Issues (Score:2, Insightful)
Re:ASCII Delimited Security Issues (Score:5, Insightful)
Too bad these developers don't know how to write good unit tests... This could have been avoided..
That's unfair. I'm all about unit tests and they do help find bugs, but a unit test isn't going to find a precisely-crafted piece of malicious input.
Re: (Score:2)
Re:ASCII Delimited Security Issues (Score:5, Funny)
A properly written unit test might have a chance of finding it if you take the approach of writing your unit tests by looking at how the function can fail.
I prefer not to find my bugs...
Re: (Score:2)
What's worse than finding a bug in your XML parser?
Finding half a bug.
Re: (Score:2)
Maybe he is in the hotel business.
Re: (Score:1)
no, he is most likely in the restaurant business, possibly 3 or 4 Star
Ive seen more bugs in those places than in Mcdonalds, but i guess even bugs won't touch that stuff.
Re: (Score:2)
- I'm a student, and may still have something to learn...
Re:Unit Tests (Score:2, Insightful)
Exactly. Unit tests do not prove the absence of bugs. They prove the existence of bugs.
Re: (Score:1)
A properly written unit test might have a chance of finding it if you take the approach of writing your unit tests by looking at how the function can fail. It is still unlikely that you will find it but the most important thing after something like this is found is to add it to your unit tests and look for similar mistakes elsewhere.
Presumably (especially considering how long the bug has managed to go unnoticed and how prevalent it is), it's obscure and an implementation detail (then again, most bugs are). You can't expect random developers to have this kind of knowledge of an underlying XML library -- especially when the rest of the world had no clue either. Despite being unit tested all around the world, nobody has managed to find and report this bug prior to this person. Doesn't that say anything?
Re: (Score:2)
It is still unlikely that you will find it but the most important thing after something like this is found is to add it to your unit tests and look for similar mistakes elsewhere.
I've found that unit testing will catch obvious things and things that you have seen before. Now that this has been found if they unit test for it, not just in the location where it happened but anywhere it makes sense, they can be more sure that it does not happen again.
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
That's unfair. I'm all about unit tests and they do help find bugs, but a unit test isn't going to find a precisely-crafted piece of malicious input.
No, probably not. The formal verification would have done that. And yes, I do think code that has the potential to introduce undefined behaviour into high-profile libraries must be verified before you may loose it on the world, why do you ask?
Re: (Score:1)
Too bad these developers don't know how to write good unit tests... This could have been avoided..
That's unfair. I'm all about unit tests and they do help find bugs, but a unit test isn't going to find a precisely-crafted piece of malicious input.
Yes, it could if you're talking about fuzzers. Having made fuzzers for a few programs, it really is amazing how many bugs they catch, how many crashes they cause, and how often they suggest the ability to control execution based on matching up the data in registers with data in the fuzzed input file. There should definitely be some fuzz testing done. I never really thought about it in the context of open-source software-- anybody know what practices are for different projects or where they would get comp
Re:ASCII Delimited Security Issues (Score:4, Informative)
XML in itself is sometimes a denial of service with strange side-effects.
As soon as you insert XML that isn't well-formed into a XML parser it will barf in one way or another. And then you will have to dedicate hours to figure out which tag/data in a 200kB XML request that was the culprit. If you are lucky you get a parsing exception, if not you get a Null pointer exception or an infinite loop in the parser.
Re: (Score:3, Insightful)
Re: (Score:2)
Re: (Score:3, Interesting)
Refusing to handle invalid input isn't denial of service. Also, I haven't seen any XML parser that would give you a null pointer/reference exception on invalid input. In fact, all that I've used will give the exact line/column number at which error happened.
Re: (Score:2)
It is if the app developer omits to handle it because "oh, that'll never happen." This is not an uncommon attitude, unfortunately.
Re: (Score:2)
Re: (Score:1)
I think he probably meant denial of service from the developer's employer's point of view.
Re: (Score:2)
"As soon as you insert XML that isn't well-formed into a XML parser it will barf in one way or another."
So don't do that, then?
"On two occasions I have been asked, 'Pray, Mr. Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question."
Re: (Score:2)
>>As soon as you insert XML that isn't well-formed into a XML parser it will barf in one way or another. And then you will have to dedicate hours to figure out which tag/data in a 200kB XML request that was the culprit. If you are lucky you get a parsing exception, if not you get a Null pointer exception or an infinite loop in the parser.
What are you talking about?
If by "you will have to dedicate hours to figure out which tag/data in a 200kB XML request that was the culprit...", you mean "reject the d
Re: (Score:2, Insightful)
It's just as easy to fuzz a binary-encoded protocol, it just doesn't require specialized tools. Ever heard of TCP/IP-based DoS attacks?
Re: (Score:1)
Re: (Score:2)
Actually this has been exploited very rarely; excluding MS Windows which had a gambit of well publicized issued of the last decade plus. Most notably being the packet of death which causes Windows boxes to crash/reboot.
Most of the TCP/IP related DoS attacks stem from exploitation of the protocol, not the binary packet format.
Re: (Score:2, Insightful)
i just built firefox-3.5.2 from the sause (Score:2)
Re: (Score:1)
If you are nuts. You would probably be better off spending 20 minutes to first figure out if there are any situations where you are feeding untrusted xml input into python, rather than completely spazzing out.
Re: (Score:2)
so this means after python patches this flaw i got to re-roll every app that depends on python either just to build or at runtime too?
No. It sounds like Firefox uses python build scripts. There is no risk from using an exploitable Python with "trusted" input, such as the Firefox build scripts. Additionally, this flaw will not "carry-over" from the build scripts to the Firefox code. As long as your Firefox got built, it didn't really matter which version of Python you used.
The only way that this flaw could possibly have any bearing on the Firefox build scripts if Mozilla tried to exploit your computer using this flaw in their build scripts
Re: (Score:2)
Re: (Score:2)
So... Gentoo users are screwed?
--- Mr. DOS
Re: (Score:1, Redundant)
So unless you literally roll your own of everything a simple update should suffice.
I'm a Gentoo user, you insensitive clod!
Re: (Score:1)
Re: (Score:2)
Article?? (Score:5, Insightful)
Re: (Score:2)
Re: (Score:2, Informative)
I think they infact did it in very responsible way. If you read the CERT advisory and everything, it seems they have worked good part of the year with the industry and CERTs to make sure these problems are actually fixed before letting ppl know!
Re: (Score:2)
I was thinking the same thing. The article was just too light on details. Even if I wanted to test my systems and even fix them, I wouldn't know where to begin. The article also doesn't mention if the people at Sun, Apache, Gnome, etc. were informed of the specifics of the vulnerability.
Since XML is handled by these projects using libraries (libxml2 in Gnome and Xerces, Xerces2 and Xalan for Apache), wouldn't fixing these libraries effectively fix the "millions of these applications"?
Re: (Score:2)
More details are now available:
http://www.codenomicon.com/labs/xml/ [codenomicon.com]
Also the CERT advisory is finally out:
https://www.cert.fi/en/reports/2009/vulnerability2009085.html [www.cert.fi]
You call that more details?! The first link tells me nothing much other than "OMG! XML is used in lots of places!" and the second is unclear about which libraries actually have the problem (e.g., is expat itself vulnerable or just the version that Python uses?) This is important because it determines who else has to worry about these things. If there are fundamental problems, it's important that they get fixed right back at the root and then the fixes pushed out. Otherwise you just have duplication of effor
Example (Score:2)
Google for "billion laughs".
Re: (Score:3, Funny)
I've included a simple demonstration below - if your browser doesn't contain the flaw then you'll just see the literal XML exploit code (all 200+ lines of it), but if it's vulnerable then you'll only see the initial trigger element on either side of Cmdr Taco's favorite topic.
<\0pwned>OMGPonies!!11one!<\0pwn3d/>
Why is Python excluded from Title? (Score:5, Insightful)
1st Line of Summary = Sun, the Apache Software Foundation, the Python Software Foundation and the GNOME Project
Re:Why is Python excluded from Title? (Score:5, Funny)
Because pythons are long and big and will not fit the title.
Re: (Score:3, Insightful)
Because pythons are long and big and will not fit the title.
You should get the extra mod point on top of the current 4, just for the fact that your /. name has the word 'snake' in it.
Re: (Score:3, Interesting)
Also, the linked article and the news on the Codenomicon website don't mention GNOME.
Re: (Score:1)
That just shows you how sneaky a python can be !
Solution (Score:2, Insightful)
DoS? (Score:2)
could result in successful denial-of-service attacks
Ah yes, but could it result in successful denial-of-cellphone-service?
Which XML libraries? (Score:4, Insightful)
Which libraries? libxml2, expat, or some other library?
The last I'd checked, Python could use several XML libraries, and Sun distributed several libraries.
It would be nice if TFA had told us which libraries, or had a link to the actual report listing them.
Re: (Score:2)
Considering GNOME is affected, it's probably libxml2 [xmlsoft.org].
Array bound checking? (Score:2)
Is this another Array bound check not being performed? Another I'm copying huge chunks of weird characters into memory and overwriting crap?
With all the extra horspower can we not get a something added to C++ to make this happen?
DOSs seems harder to fight against. Is it bad code that loops for ever or is just not optmized. I bet most libraries could be found to have some of that.
Re: (Score:2)
Java (well, at least "Sun" code) and Python are in there, and since at least Java's XML libraries are fully native to the VM which *does* perform bounds checking, this is clearly something else. It's probably more in the semantics than in the syntax; e.g. treating URI's as URL's and following them without checking if they are from the same host.
Re: (Score:2)
Optimization isn't what you want here. It has a tendency to remove expensive checks, like checks that an array boundary isn't being overwritten.
There are a couple of reasonable ways to handle this, but optimization isn't one of them. (My favorite would be to re-write everything in D. I'd've mentioned Ada also, but gnat, by default, doesn't implement the array bounds checking that Ada includes. [It's there, but you've got to select a special compiler option to get it, because that check is expensive at r
Re:Array bound checking? P.S, (Score:2)
You may have noticed that two of the three languages that I mentioned are garbage collected (D and Java). This isn't entirely coincidence. Languages that implement garbage collection in their design, and reduce or eliminate the direct use of pointers seem to eliminate an entire raft of security problems. That they tend to have dynamic arrays and arrays that implement bounds checking is merely one bonus.
C++ was at one time going to implement part of this in the new standard...which has now both had featur
XML... (Score:2, Interesting)
See signature.
random gibberish to make lameness filter happy.
Re: (Score:3, Interesting)
I would if the slashdot UI would have a link or button on the page to view the signature of individual messages.
Handling URI's (Score:2)
If this "security hole" just means that everybody is forgetting to disable the default way these parsers handle URI's for Schema's and DDT's then this is just a big scam. It's a known issue, although I would not be surprised if it isn't well known to many developers. In the worst case it is some kind of way of letting the XML parser perform a random URL request without the developer having the power to stop this from happening.
I must admit that the default behaviour as well as the API documentation leaves a
Someone just rediscovered XML Entity Attacks (Score:4, Interesting)
It's difficult to say from the information provided, but it sounds like someone just rediscovered XML entity attacks (as I did a few years ago). Assuming it is the same thing, here are some references from 2002 and 2006 with more details:
http://www.securiteam.com/securitynews/6D0100A5PU.html [securiteam.com]
http://www.sift.com.au/assets/downloads/SIFT-XML-Port-Scanning-v1-00.pdf [sift.com.au]
I've used these attacks in real-world tests and they are still surprisingly effective - just not new.
Advisories released (Score:2, Informative)
CERT-FI advisory: https://www.cert.fi/en/reports/2009/vulnerability2009085.html
Sun advisory: http://sunsolve.sun.com/search/document.do?assetkey=1-66-263489-1
CERT-FI advisory had a link to Codenomicon web page with some more details: http://www.codenomicon.com/labs/xml/
Re: (Score:1)
I suggest switching to a diet of hay, for the higher protein content.
Re: (Score:3, Interesting)
You'll probably getted tagged 'troll' for that, but I'll bite.
It's not that open source is not susceptible to these things (all software is). But with open source, these things are usually found more quickly, and are generally patched/fixed more quickly. I don't have statistics to support a statement that critical errors like this happen less often with open source, but I would have no trouble believing that.
Open source is usually more transparent about the problem, too. Many closed source vendors hide thes
Re: (Score:2)
to the grandparent only: if you dont see the advantages of Open Source software to all users be it commercial or personal then you are not a user yourself and
Re: (Score:2)
to the grandparent only: if you dont see the advantages of Open Source software to all users be it commercial or personal then you are not a user yourself and are just a corporate type with the corportista mindset, i got news for you = money is not everything and people will go out of their way to get your greedy little paws out of their pockets.
So, if I need Photoshop as part of my job to feed my family, I'm just a corporate type with the corportista mindset and I should either switch to Gimp and pull my hair and lose time and clients or let my family starve?
Whatever happened to using the right tool for the job, instead of letting zealotry take over?
Re: (Score:1)
So, if I need Photoshop as part of my job to feed my family, I'm just a corporate type with the corportista mindset and I should either switch to Gimp and pull my hair and lose time and clients or let my family starve?
But with The GIMP you get to waste weeks of your time trying to wade through it's crappy codebase trying to fix it's buginess and try to cram in features that it still doesn't have that Photoshop has had for almost a decade. You non-corportistas just don't understand how this is a benefit and not a flaw of the software!
Re: (Score:1)
Re: (Score:2)
Do you have any hard evidence of that or is it just faith?
Don't get me wrong I'm a big fan of open source, free software in the RMS meaning of free. But I just don't really get along with faith. It's quite astonishing how much of the commentary on Slashdot is all about faith with no reference to evidence. I guess we're all human though, even us techie geeks!
Re:Open source (Score:5, Informative)
Also, fuzzing discovers DoSes. But many DoS attacks turn into vulnerabilities in the hands of a skilled hacker, and it's generally not safe to assume that a DoS is unexploitable without extensive code analysis.
Re: (Score:2)
it works quite well and generally doesn't require the source code.
But here, since it's open source, we don't have to rely on coders in a white tower to patch the code directly or someone to hack an intermediate patch. We can start looking right away.
Re: (Score:2)
Couldn't you have at least waited until a linux fanboi didn't understand the summary and made a dumb comment?
All that aside, the way these projects' being open source will make this better is by making a patch come out sooner. The community knows there is a problem. Someone will get on finding it right away, and in a day or two we will see patches getting pushed out that fix it. There's no sitting around helplessly hoping we don't get DoSed until someone at MegaSoft Corp. decide
Re: (Score:2)
All that aside, the way these projects' being open source will make this better is by making a patch come out sooner. The community knows there is a problem. Someone will get on finding it right away, and in a day or two we will see patches getting pushed out that fix it. There's no sitting around helplessly hoping we don't get DoSed until someone at MegaSoft Corp. decides this is worth fixing and rolls a patch.
This is because the Community has unlimited volunteer resources available on very short notice, and large corporations with many paid full-time employees do not.
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
Re: (Score:1)
Re:Open source (Score:4, Informative)
Think "
I wonder if [google.com] these vulnerabilites could have [google.com] been found earlier [google.com] if the code was [google.com]open source [google.com]."
Re: (Score:2)
Hey man, you did "adobe xml vulnerability" twice!! Admittedly, their security record is appalling, particularly as of late, but still, play fair ;)
More seriously, an article comes out about multiple XML vulnerabilities in multiple open-source XML libraries and your immediate reaction is to rush out and try and shine the light on XML vulnerabilities in closed-source code?! How about you first wait to find out the severity of the exploits in the open-source software, and equally importantly, how long they hav
Re: (Score:2)
Re: (Score:2)
I agree that if these vulnerabilities have been found with fuzzing tools, they would have been detected just as easy in closed source software. But they could have crafted the input data a little according to the structure of the parser code.
But yes, you are right, I was basically backtrolling a troll and it shouldn't be modded up..
Re: (Score:1)
Re: (Score:1)
What am I to think now?
That better is not perfect ? Who told you that open source software had absolutely no flaws ? The open source software paradigm does not prevent bugs. It only makes it more likely that those bugs will be caught sooner since so many eyes can peruse the code. If you're not satisfied, ask for a refund...
Re: (Score:2)
It only makes it more likely that those bugs will be caught sooner since so many eyes can peruse the code
Do you have any evidence for this or is it just your belief? I'm sure there are academic papers that look at this and of course there are sizeable historical repositories of vulnerabilities, e.g. US-CERT. It's actually possible to test your hypothesis.
What you find when you do this is that some closed source projects have good track records and some have bad track records. Likewise some open source projects have good track records and some have bad track records. You will find, for example, that there's
Re: (Score:2)
Well, it may be as clear as 2 + 2 = 4 to you but perhaps I'm not as clever as you. In any case I'm somewhat old fashioned and like to have evidence.
The particular article I was thinking of is: "Is Linux Better than Windows Software?", Adenekan (Nick) Dedeke, IEEE Software, Vol 26 issue 3.
The author says:
Re: (Score:2)
Well, you obviously haven't tried before, so why on earth start now?
Re: (Score:2)
What am I to think now?
Start by thinking how nice it would be to wire me some money. Then think about how you don't really need the money. Finally, follow the necessary thought processes that result in action upon these two items.
Re: (Score:3, Insightful)
Re: (Score:3, Funny)
You think I've come to the right place?
Re:And they said XML was easy to parse (Score:4, Insightful)
Re: (Score:1, Insightful)
Re: (Score:3, Informative)
Except CSV isn't a standard.
The IETF [ietf.org] might disagree with you.
Re: (Score:3, Informative)
Except CSV isn't a standard.
The IETF [ietf.org] might disagree with you.
"This memo provides information for the Internet community. It does not specify an Internet standard of any kind. "
Re: (Score:2)
"This memo provides information for the Internet community. It does not specify an Internet standard of any kind. "
That's a boilerplate header at the start of every RFC, included for mostly archaic formality reasons -- in reality the RFCs are seen as standards by pretty much anyone working on a project which involves them, and the agreement between RFC users /makes/ them standards, as much as the RFCs themselves would like to object :-P
Re: (Score:3, Insightful)
Re: (Score:2)
sed has been around for more than 20 years though and I bet a couple of one liners can fix most anything right up.
Re: (Score:2)
CSV FTW.
What happens when your data contains \r or \n characters? (I know Oracle's sqlldr / external tables at least will reject that row, and I don't believe they recognize any escape sequence for this.) What happens if the data has commas in it, and the .csv was generated by something that doesn't add quotes?
What do you do if your data is more complicated than a simple table?
Re: (Score:1)
Most of the things you ask about can be done with CSV as long as it's quoted properly. If it's not quoted properly, then it would be considered invalid. There's a nice RFC spec for it here: http://www.ietf.org/rfc/rfc4180.txt [ietf.org]
What happens when your data contains \r or \n characters?
It's perfectly acceptable as long as you quote it (#6 example of RFC 4180). If Oracle doesn't support that, then I would say their implementation is broken.
What happens if the data has commas in it, and the .csv was generated by something that doesn't add quotes?
It's invalid
What do you do if your data is more complicated than a simple table?
I'd need a better example from you, but you can embed a csv record inside a csv field. It starts to get complicated re
Re: (Score:2)
If Oracle doesn't support that, then I would say their implementation is broken.
I'd just suspect it's more than 4 years old (hmm, looks like the 10gR2 we're using was actually released in 2005, and that RFC is dated October 2005). The "standard" is "this seems to be what most people are doing" rather than "here's the definition of a cool new format".
Clearly, you can represent tree style data with CSV, but it has more flexibility than you think.
Hm, cool. Also, ick.
Too many people roll their own CSV, because it seems so simple. Then they don't quote and escape quotes properly blaming any issues on garbage data.
...and then I have to tweak it into the csv dialect that Oracle understands.
Re: (Score:1)
What do you do if your data is more complicated than a simple table?
Are you serious? The same thing one would do in a relational database if your data is more complicated than a simple table...
CSV (Score:2)
\r or \n aren't problems with proper CSV; \r\n combinations define record breaks, and can be included in data fields by enclosing them in double quotes.
Then you should use something that generates proper CSV (which means it either uses quotes properly or doesn't allow anything that needs quoting in data fields.)