Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add limit and configuration setting for maximum nesting for DTD subsets (similar to main doc) [CVE-2022-40152] #160

Closed
cowtowncoder opened this issue Oct 24, 2022 · 1 comment
Labels
cve Issues related to public CVEs (security vuln reports)
Milestone

Comments

@cowtowncoder
Copy link
Member

cowtowncoder commented Oct 24, 2022

(note: originally reported as #157)

Currently there are limits to many aspects of input (nesting, max attribute, element lengths), but not one for limiting nesting within DTD subset. Let's add setting for maximum DTD nesting of 500, matching existing WstxInputProperties.P_MAX_ENTITY_DEPTH used for regular entities (could alternatively match WstxInputProperties.P_MAX_ELEMENT_DEPTH of 1000).

This needs to be configurable as well with, say

 WstxInputProperties.P_MAX_DTD_DEPTH

NOTE: this issue is for resolving [CVE-2022-40152]

@cowtowncoder cowtowncoder added the cve Issues related to public CVEs (security vuln reports) label Oct 24, 2022
@cowtowncoder cowtowncoder added this to the 6.4.0 milestone Oct 24, 2022
@cowtowncoder
Copy link
Member Author

Fix included in

  • 6.4.0 main release
  • Backported in 5.x for 5.4.0 as well

@cowtowncoder cowtowncoder changed the title Add limit and configuration setting for maximum nesting for DTD subsets (similar to main doc) Add limit and configuration setting for maximum nesting for DTD subsets (similar to main doc) [CVE-2022-40151] Oct 24, 2022
@cowtowncoder cowtowncoder changed the title Add limit and configuration setting for maximum nesting for DTD subsets (similar to main doc) [CVE-2022-40151] Add limit and configuration setting for maximum nesting for DTD subsets (similar to main doc) [CVE-2022-xxxxx] Oct 25, 2022
@cowtowncoder cowtowncoder changed the title Add limit and configuration setting for maximum nesting for DTD subsets (similar to main doc) [CVE-2022-xxxxx] Add limit and configuration setting for maximum nesting for DTD subsets (similar to main doc) [CVE-2022-40152] Oct 27, 2022
poikilotherm added a commit to gdcc/xoai that referenced this issue Feb 9, 2023
The origin of CVE-2022-40152 is chaotic at best. It first popped
up in x-stream/xstream#304.

There was a problem with Woodstox, which was resolved for version 6.4.0
in FasterXML/woodstox#160.

Now the CVE is reported on the *API* package, not the implementation.
We're safe here and can suppress the CPE as false positive.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
cve Issues related to public CVEs (security vuln reports)
Projects
None yet
Development

No branches or pull requests

1 participant