Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 600828 - <dev-perl/GraphViz-2.240.0: Package uses dev-perl/XML-Twig and makes no clear statement regarding handling of external entities (CVE-2016-9180)
Summary: <dev-perl/GraphViz-2.240.0: Package uses dev-perl/XML-Twig and makes no clear...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://rt.cpan.org/Ticket/Display.ht...
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks: 600818
  Show dependency tree
 
Reported: 2016-11-25 17:31 UTC by Thomas Deutschmann (RETIRED)
Modified: 2017-01-23 02:41 UTC (History)
2 users (show)

See Also:
Package list:
dev-perl/GraphViz-2.240.0
Runtime testing required: No
stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann (RETIRED) gentoo-dev 2016-11-25 17:31:39 UTC 
t is suspected that this package is vulnerable to a security vulnerability due to expanding of malicious entities via dev-perl/XML-Twig. As such we ask maintainers with packages suspected to be vulnerable to verify if the package is (or have been) affected. 

Please see the information contained in the tracker bug 600818.


# grep -Fr 'Twig->new' /var/tmp/portage/dev-perl/GraphViz-2.200.0/work/GraphViz-2.20
/var/tmp/portage/dev-perl/GraphViz-2.200.0/work/GraphViz-2.20/lib/GraphViz/XML.pm:    my $t = XML::Twig->new();
Comment 1 Kent Fredric (IRC: kent\n) (RETIRED) gentoo-dev 2016-12-26 18:55:32 UTC 
commit d0e08d870bade71e8270b8344afc7c9fdb5969d8
Author: Kent Fredric <kentnl@gentoo.org>
Date:   Tue Dec 27 07:45:54 2016 +1300

    dev-perl/GraphViz: Bump to version 2.230.0 re #600828
    
    - Use DIST_EXAMPLES
    
    Upstream:
    - Fix tests broken by lack of { escaping in regex.
    - Move to EUMM
    - Bail out if there is no `dot`
    - use no_xxe with XML::Twig instantiation

https://metacpan.org/pod/release/RSAVAGE/GraphViz-2.23/lib/GraphViz.pm#How-do-you-handle-XXE-within-XML

Difference is small enough that we can probably go start stabilizing. Almost no code change other than XXE, mostly packaging.
Comment 2 Andreas K. Hüttel archtester gentoo-dev 2017-01-17 21:05:50 UTC 
Please stabilize, target amd64 x86

dev-perl/GraphViz-2.240.0
Comment 3 Agostino Sarubbo gentoo-dev 2017-01-18 11:29:12 UTC 
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2017-01-18 11:57:20 UTC 
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 5 Kent Fredric (IRC: kent\n) (RETIRED) gentoo-dev 2017-01-22 12:24:54 UTC 
commit 0ba719c6cbcdfa468e553fc423e1088e5d438a1a
Author: Kent Fredric <kentnl@gentoo.org>
Date:   Mon Jan 23 01:23:34 2017 +1300

    dev-perl/GraphViz: Clean up old versions re bug #600828
    
    No significant difference between recent versions and this one,
    other than upstream adding special handling for xxe
Comment 6 Aaron Bauman (RETIRED) gentoo-dev 2017-01-23 02:41:25 UTC 
Tree is clean.