Re: scrollkeeper loading external (online) DTD
hello sebastien..
Received at 2003-01-08 / 23:10 by Sebastien Chaumat:
The xbill package contains : /usr/share/gnome/help/xbill/C/xbill.xml
In this file the DTD is refered by an absolute external link :
!DOCTYPE article PUBLIC -//OASIS//DTD DocBook XML V4.1.2//EN
http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd;
Thus : scrollkeeper-update blindly connect to www.oasis-open.org to get
the docbookx.dtd.
I can trust signed debian packages but I can't trust
www.oasis-open.org.
More than 18 files in /usr/share/gnome/help/ induce this download.
I'am about to make bug report against scrollkeeper (for acting blindly,
and dowloading the same file more than once) and against packages that
provides the xml files (for using external DTD instead of provinding
it)...
Your opinion?
file a bug report against xbill (and the others). there are (or were) some
issues with libxml2, check bug #153720.
you can tell the maintainer to include something like this in
debian/rules (target config.status):
find -name *.xml -exec perl -i -pe
's,http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd,/usr/share/sgml/docbook/dtd/xml/4.1.2/docbookx.dtd,'
{} \;
the gnome-applets package does it this way.
bye,
sebastian
--
::: sebastian henschel
::: kodeaffe
::: lynx -source http://www.kodeaffe.de/shensche.pub | gpg --import
msg08410/pgp0.pgp
Description: PGP signature
Re: scrollkeeper loading external (online) DTD
Thats absolutely ridiculous. I would file one at once, that should definitely not go unchecked, at least. I can appreciate the motivation, but for my own sanity I'm too paranoid to a) accept strange unknown files/connections or b) send out requests for such data. Especially considering since it all happens without my knowledge, which thanks, now I know. Who knows if the file is the original? The checksum is verified, but that doesn't mean much all things considered, where did the checksum come from? On 08 Jan 2003 22:54:12 +0100 Sebastien Chaumat [EMAIL PROTECTED] wrote: Hi, This a real example : The xbill package contains : /usr/share/gnome/help/xbill/C/xbill.xml In this file the DTD is refered by an absolute external link : !DOCTYPE article PUBLIC -//OASIS//DTD DocBook XML V4.1.2//EN http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd; Thus : scrollkeeper-update blindly connect to www.oasis-open.org to get the docbookx.dtd. I can trust signed debian packages but I can't trust www.oasis-open.org. More than 18 files in /usr/share/gnome/help/ induce this download. I'am about to make bug report against scrollkeeper (for acting blindly, and dowloading the same file more than once) and against packages that provides the xml files (for using external DTD instead of provinding it)... Your opinion? Cheers, SEb -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] msg08411/pgp0.pgp Description: PGP signature
Re: scrollkeeper loading external (online) DTD
From: Hubert Chan [EMAIL PROTECTED] Subject: Re: scrollkeeper loading external (online) DTD Date: 10/01/2003 6:33:22 snip DTDs cannot introduce any vulnerabilities (unless the XML parser is horribly buggy). The worst that can happen is that the file doesn't validate, and scrollkeeper complains. snip Is this strictly true? There have been a few articles on bugtraq recently around this kind of thing. One in the area of bugs, and one around external entities and the potential for a rogue DTD to specify bad URIs. In particular an external reference might cause a parser to open a connection to a site that the user would not wish. Alternately, an entity reference might translate to some form of control string for the application that is later using the parsed XML. And even if the only concern is around bugs, surely experience would indicate that given the growing use of XML parsers in a wide range of applications, we should be careful of all input? External Entities : http://online.securityfocus.com/archive/1/297714 and DTD DoS bug : http://www.macromedia.com/v1/handlers/index.cfm?ID=23559 (Doesn't say much). This message was sent through MyMail http://www.mymail.com.au replyAll Description: PGP signature
Re: scrollkeeper loading external (online) DTD
hello sebastien..
Received at 2003-01-08 / 23:10 by Sebastien Chaumat:
The xbill package contains : /usr/share/gnome/help/xbill/C/xbill.xml
In this file the DTD is refered by an absolute external link :
!DOCTYPE article PUBLIC -//OASIS//DTD DocBook XML V4.1.2//EN
http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd;
Thus : scrollkeeper-update blindly connect to www.oasis-open.org to get
the docbookx.dtd.
I can trust signed debian packages but I can't trust
www.oasis-open.org.
More than 18 files in /usr/share/gnome/help/ induce this download.
I'am about to make bug report against scrollkeeper (for acting blindly,
and dowloading the same file more than once) and against packages that
provides the xml files (for using external DTD instead of provinding
it)...
Your opinion?
file a bug report against xbill (and the others). there are (or were) some
issues with libxml2, check bug #153720.
you can tell the maintainer to include something like this in
debian/rules (target config.status):
find -name *.xml -exec perl -i -pe
's,http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd,/usr/share/sgml/docbook/dtd/xml/4.1.2/docbookx.dtd,'
{} \;
the gnome-applets package does it this way.
bye,
sebastian
--
::: sebastian henschel
::: kodeaffe
::: lynx -source http://www.kodeaffe.de/shensche.pub | gpg --import
pgpKLwbKqZ2qm.pgp
Description: PGP signature
Re: scrollkeeper loading external (online) DTD
Thats absolutely ridiculous. I would file one at once, that should definitely not go unchecked, at least. I can appreciate the motivation, but for my own sanity I'm too paranoid to a) accept strange unknown files/connections or b) send out requests for such data. Especially considering since it all happens without my knowledge, which thanks, now I know. Who knows if the file is the original? The checksum is verified, but that doesn't mean much all things considered, where did the checksum come from? On 08 Jan 2003 22:54:12 +0100 Sebastien Chaumat [EMAIL PROTECTED] wrote: Hi, This a real example : The xbill package contains : /usr/share/gnome/help/xbill/C/xbill.xml In this file the DTD is refered by an absolute external link : !DOCTYPE article PUBLIC -//OASIS//DTD DocBook XML V4.1.2//EN http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd; Thus : scrollkeeper-update blindly connect to www.oasis-open.org to get the docbookx.dtd. I can trust signed debian packages but I can't trust www.oasis-open.org. More than 18 files in /usr/share/gnome/help/ induce this download. I'am about to make bug report against scrollkeeper (for acting blindly, and dowloading the same file more than once) and against packages that provides the xml files (for using external DTD instead of provinding it)... Your opinion? Cheers, SEb -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] pgpua9VQx6pEu.pgp Description: PGP signature
Re: scrollkeeper loading external (online) DTD
Sebastien == Sebastien Chaumat [EMAIL PROTECTED] writes: Sebastien Hi, This a real example : Sebastien The xbill package contains : Sebastien /usr/share/gnome/help/xbill/C/xbill.xml Sebastien In this file the DTD is refered by an absolute external link Sebastien : Sebastien !DOCTYPE article PUBLIC -//OASIS//DTD DocBook XML Sebastien V4.1.2//EN Sebastien http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd; That is necessary for a DocBook file. Sebastien Thus : scrollkeeper-update blindly connect to Sebastien www.oasis-open.org to get the docbookx.dtd. Sebastien I can trust signed debian packages but I can't trust Sebastien www.oasis-open.org. DTDs cannot introduce any vulnerabilities (unless the XML parser is horribly buggy). The worst that can happen is that the file doesn't validate, and scrollkeeper complains. Sebastien More than 18 files in /usr/share/gnome/help/ induce this Sebastien download. Sebastien I'am about to make bug report against scrollkeeper (for Sebastien acting blindly, and dowloading the same file more than once) IMHO, the severity of such a bug would be at most wishlist. Sebastien and against packages that provides the xml files (for using Sebastien external DTD instead of provinding it)... It should not be providing the DTD. At most, it should depend on docbook-xml, which provides the DTD, although I would suggest making it a Recommends rather than Depends. AFAIK, if docbook-xml is installed, scrollkeeper will use the local copy, rather than fetching it over the network. (If not, this should be another wishlist bug.) (Hmm. On my system (sid), scrollkeeper already depends on docbook-xml.) -- Hubert Chan [EMAIL PROTECTED] - http://www.uhoreg.ca/ PGP/GnuPG key: 1024D/124B61FA Fingerprint: 96C5 012F 5F74 A5F7 1FF7 5291 AF29 C719 124B 61FA Key available at wwwkeys.pgp.net. Encrypted e-mail preferred. pgp3SadAAFnYh.pgp Description: PGP signature
Re: scrollkeeper loading external (online) DTD
From: Hubert Chan [EMAIL PROTECTED] Subject: Re: scrollkeeper loading external (online) DTD Date: 10/01/2003 6:33:22 snip DTDs cannot introduce any vulnerabilities (unless the XML parser is horribly buggy). The worst that can happen is that the file doesn't validate, and scrollkeeper complains. snip Is this strictly true? There have been a few articles on bugtraq recently around this kind of thing. One in the area of bugs, and one around external entities and the potential for a rogue DTD to specify bad URIs. In particular an external reference might cause a parser to open a connection to a site that the user would not wish. Alternately, an entity reference might translate to some form of control string for the application that is later using the parsed XML. And even if the only concern is around bugs, surely experience would indicate that given the growing use of XML parsers in a wide range of applications, we should be careful of all input? External Entities : http://online.securityfocus.com/archive/1/297714 and DTD DoS bug : http://www.macromedia.com/v1/handlers/index.cfm?ID=23559 (Doesn't say much). This message was sent through MyMail http://www.mymail.com.au replyAll Description: PGP signature
scrollkeeper loading external (online) DTD
Hi, This a real example : The xbill package contains : /usr/share/gnome/help/xbill/C/xbill.xml In this file the DTD is refered by an absolute external link : !DOCTYPE article PUBLIC -//OASIS//DTD DocBook XML V4.1.2//EN http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd; Thus : scrollkeeper-update blindly connect to www.oasis-open.org to get the docbookx.dtd. I can trust signed debian packages but I can't trust www.oasis-open.org. More than 18 files in /usr/share/gnome/help/ induce this download. I'am about to make bug report against scrollkeeper (for acting blindly, and dowloading the same file more than once) and against packages that provides the xml files (for using external DTD instead of provinding it)... Your opinion? Cheers, SEb -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
scrollkeeper loading external (online) DTD
Hi, This a real example : The xbill package contains : /usr/share/gnome/help/xbill/C/xbill.xml In this file the DTD is refered by an absolute external link : !DOCTYPE article PUBLIC -//OASIS//DTD DocBook XML V4.1.2//EN http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd; Thus : scrollkeeper-update blindly connect to www.oasis-open.org to get the docbookx.dtd. I can trust signed debian packages but I can't trust www.oasis-open.org. More than 18 files in /usr/share/gnome/help/ induce this download. I'am about to make bug report against scrollkeeper (for acting blindly, and dowloading the same file more than once) and against packages that provides the xml files (for using external DTD instead of provinding it)... Your opinion? Cheers, SEb
