Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 600822 - sci-biology/bioperl-run: Package uses dev-perl/XML-Twig and makes no clear statement regarding handling of external entities (CVE-2016-9180)
Summary: sci-biology/bioperl-run: Package uses dev-perl/XML-Twig and makes no clear st...
Status: RESOLVED WONTFIX
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [upstream?]
Keywords:
Depends on:
Blocks: 600818
  Show dependency tree
 
Reported: 2016-11-25 17:00 UTC by Thomas Deutschmann (RETIRED)
Modified: 2019-08-25 01:34 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann (RETIRED) gentoo-dev 2016-11-25 17:00:31 UTC 
It is suspected that this package is vulnerable to a security vulnerability due to expanding of malicious entities via dev-perl/XML-Twig. As such we ask maintainers with packages suspected to be vulnerable to verify if the package is (or have been) affected. 

Please see the information contained in the tracker bug 600818.


# grep -Fr 'Twig->new' /var/tmp/portage/sci-biology/bioperl-run-1.6.9/work/BioPerl-Run-1.006900
/var/tmp/portage/sci-biology/bioperl-run-1.6.9/work/BioPerl-Run-1.006900/lib/Bio/DB/ESoap/WSDL.pm:      XML::Twig->new(
/var/tmp/portage/sci-biology/bioperl-run-1.6.9/work/BioPerl-Run-1.006900/lib/Bio/DB/ESoap/WSDL.pm:      my $imported = XML::Twig->new();
/var/tmp/portage/sci-biology/bioperl-run-1.6.9/work/BioPerl-Run-1.006900/lib/Bio/DB/ESoap/WSDL.pm:          my $incl = XML::Twig->new();
/var/tmp/portage/sci-biology/bioperl-run-1.6.9/work/BioPerl-Run-1.006900/lib/Bio/Tools/Run/EMBOSSacd.pm:    my $t = XML::Twig->new( TwigHandlers =>