On Thu, Nov 17, 2016 at 4:48 PM, Kent Fredric <ken...@gentoo.org> wrote: > On Thu, 17 Nov 2016 20:57:26 +0000 > "Robin H. Johnson" <robb...@gentoo.org> wrote: > >> - eg metadata.xml (nothing for user systems is impacted by it, other >> than to give output about packages). > > Idle thought: Given there are classes of vulnerabilities related to XML > parsing and decoding, any systems that attempt to read this file should > ensure a it "good" before doing so. > > But I don't really know the specifics of XXE vulns, only that I saw a > few in the last few months.
Keep in mind that at some point it is vulnerabilities all the way down. How do we make sure the xml file is good? Well, lets read the hashes from a manifest, and check them. Except, that means parsing a manifest file using a parser that might have a vulnerability, and it requires calculating a hash on a file and the hash utility might have a vulnerability. Oh, and how do you know those helper programs are still intact? Better check their hashes against a manifest too, which just requires parsing a manifest file and using a hash utility... :) I'm not against file integrity checks, of course, but at some point if you have an xml parser with a vulnerability you're probably going to want to fix that... -- Rich
