600820 – www-apps/ikiwiki: Package uses dev-perl/XML-Twig and makes no clear statement regarding handling of external entities (CVE-2016-9180)

Bug 600820 - www-apps/ikiwiki: Package uses dev-perl/XML-Twig and makes no clear statement regarding handling of external entities (CVE-2016-9180)

Summary: www-apps/ikiwiki: Package uses dev-perl/XML-Twig and makes no clear statement...

Status:	RESOLVED WONTFIX

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	B3 [upstream cve]
Keywords:

Depends on:
Blocks:	600818
	Show dependency tree

Reported:	2016-11-25 16:56 UTC by Thomas Deutschmann (RETIRED)
Modified:	2019-08-25 01:34 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Thomas Deutschmann (RETIRED) gentoo-dev

2016-11-25 16:56:27 UTC

It is suspected that this package is vulnerable to a security vulnerability due to expanding of malicious entities via dev-perl/XML-Twig. As such we ask maintainers with packages suspected to be vulnerable to verify if the package is (or have been) affected. 

Please see the information contained in the tracker bug 600818.


# grep -Fr 'Twig->new' /var/tmp/portage/www-apps/ikiwiki-3.20160905/work/ikiwiki-3.20160905
/var/tmp/portage/www-apps/ikiwiki-3.20160905/work/ikiwiki-3.20160905/t/map.t:   my $tree = XML::Twig->new(pretty_print => 'indented');