Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add limit and configuration setting for maximum nesting for DTD subsets (similar to main doc) [CVE-2022-40152] #160

Closed
cowtowncoder opened this issue Oct 24, 2022 · 1 comment
Closed

Add limit and configuration setting for maximum nesting for DTD subsets (similar to main doc) [CVE-2022-40152] #160

cowtowncoder opened this issue Oct 24, 2022 · 1 comment
Labels
cve Issues related to public CVEs (security vuln reports)
Milestone
6.4.0

Comments

@cowtowncoder
Copy link
Member

cowtowncoder commented Oct 24, 2022
edited
Loading

(note: originally reported as #157)

Currently there are limits to many aspects of input (nesting, max attribute, element lengths), but not one for limiting nesting within DTD subset. Let's add setting for maximum DTD nesting of 500, matching existing WstxInputProperties.P_MAX_ENTITY_DEPTH used for regular entities (could alternatively match WstxInputProperties.P_MAX_ELEMENT_DEPTH of 1000).

This needs to be configurable as well with, say

 WstxInputProperties.P_MAX_DTD_DEPTH

NOTE: this issue is for resolving [CVE-2022-40152]
cowtowncoder added a commit that referenced this issue Oct 24, 2022
@cowtowncoder
Add release notes for #160, minor tweaks
8d66153
@cowtowncoder cowtowncoder added the cve Issues related to public CVEs (security vuln reports) label Oct 24, 2022
@cowtowncoder cowtowncoder mentioned this issue Oct 24, 2022
Merged
@cowtowncoder cowtowncoder added this to the 6.4.0 milestone Oct 24, 2022
@cowtowncoder
Copy link
Member Author

Fix included in

  • 6.4.0 main release
  • Backported in 5.x for 5.4.0 as well

@cowtowncoder cowtowncoder mentioned this issue Oct 24, 2022
Closed
@cowtowncoder cowtowncoder changed the title Add limit and configuration setting for maximum nesting for DTD subsets (similar to main doc) Add limit and configuration setting for maximum nesting for DTD subsets (similar to main doc) [CVE-2022-40151] Oct 24, 2022
@cowtowncoder cowtowncoder mentioned this issue Oct 25, 2022
Closed
@cowtowncoder cowtowncoder changed the title Add limit and configuration setting for maximum nesting for DTD subsets (similar to main doc) [CVE-2022-40151] Add limit and configuration setting for maximum nesting for DTD subsets (similar to main doc) [CVE-2022-xxxxx] Oct 25, 2022
@wilx wilx mentioned this issue Oct 26, 2022
Merged
@cowtowncoder cowtowncoder changed the title Add limit and configuration setting for maximum nesting for DTD subsets (similar to main doc) [CVE-2022-xxxxx] Add limit and configuration setting for maximum nesting for DTD subsets (similar to main doc) [CVE-2022-40152] Oct 27, 2022
cowtowncoder added a commit that referenced this issue Oct 27, 2022
@cowtowncoder
Release note update (actually #160 and not 162)
44a66e9
@basil basil mentioned this issue Nov 15, 2022
Closed
@risdenk risdenk mentioned this issue Dec 7, 2022
Merged
7 tasks
poikilotherm added a commit to gdcc/xoai that referenced this issue Feb 9, 2023
@poikilotherm
chore(sec): add false positive suppression for stax2-api
5c79194 
The origin of CVE-2022-40152 is chaotic at best. It first popped
up in x-stream/xstream#304.

There was a problem with Woodstox, which was resolved for version 6.4.0
in FasterXML/woodstox#160.

Now the CVE is reported on the *API* package, not the implementation.
We're safe here and can suppress the CPE as false positive.
@pombredanne pombredanne mentioned this issue Apr 21, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
cve Issues related to public CVEs (security vuln reports)
Projects
None yet
Milestone
6.4.0
Development

No branches or pull requests
1 participant
@cowtowncoder