Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 598766 (CVE-2016-9181) - <dev-perl/Image-Info-1.390.0: XXE
Summary: <dev-perl/Image-Info-1.390.0: XXE
Status: RESOLVED FIXED
Alias: CVE-2016-9181
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2016-11-02 10:50 UTC by Agostino Sarubbo
Modified: 2017-01-16 00:24 UTC (History)
1 user (show)

See Also:
Package list:
=dev-perl/Image-Info-1.390.0
Runtime testing required: No
stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-11-02 10:50:06 UTC 
From ${URL} :

The Image::Info package makes no precautions against external entity
expansion in SVG files.  A crafted file could cause information disclosure
or denial of service.

Upstream bug:

https://rt.cpan.org/Public/Bug/Display.html?id=118099

Upstream patch:

http://search.cpan.org/diff?from=Image-Info-1.38&to=Image-Info-1.38_50&w=1


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Andreas K. Hüttel archtester gentoo-dev 2016-11-03 23:03:16 UTC 
Arches please stabilize =dev-perl/Image-Info-1.390.0

Target: amd64 ppc ppc64 x86
Comment 2 Agostino Sarubbo gentoo-dev 2016-11-04 08:38:29 UTC 
amd64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2016-11-04 08:38:56 UTC 
x86 stable
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2016-11-04 13:27:15 UTC 
Stable for PPC64.
Comment 5 Agostino Sarubbo gentoo-dev 2017-01-15 16:02:51 UTC 
ppc stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-15 19:31:02 UTC 
GLSA Vote: No
Comment 7 Andreas K. Hüttel archtester gentoo-dev 2017-01-15 19:36:25 UTC 
Cleanup done