Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 636976 (CVE-2017-9096) - dev-java/itext: XML external entity (XXE) vulnerability (CVE-2017-9096)
Summary: dev-java/itext: XML external entity (XXE) vulnerability (CVE-2017-9096)
Status: RESOLVED FIXED
Alias: CVE-2017-9096
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B4 [noglsa cve]
Keywords:
: 637476 (view as bug list)
Depends on:
Blocks:
 
Reported: 2017-11-09 16:21 UTC by GLSAMaker/CVETool Bot
Modified: 2019-09-15 02:28 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2017-11-09 16:21:12 UTC 
CVE-2017-9096 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9096):
  The XML parsers in iText before 5.5.12 and 7.x before 7.0.3 do not disable
  external entities, which might allow remote attackers to conduct XML
  external entity (XXE) attacks via a crafted PDF.
Comment 1 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-11-09 16:21:53 UTC 
@Maintainers please call for stabilization when ready.

Thank you
Comment 2 Francis Booth 2017-11-14 12:01:25 UTC 
*** Bug 637476 has been marked as a duplicate of this bug. ***
Comment 3 William L. Thomson Jr. 2017-11-18 01:39:24 UTC 
Mask and remove itext. There is an fork that does not require license, etc.
https://github.com/LibrePDF/OpenPDF
Comment 4 Larry the Git Cow gentoo-dev 2019-09-14 15:48:22 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=939d02c84c4ffef19acd328fb4e1f9129d04c28d

commit 939d02c84c4ffef19acd328fb4e1f9129d04c28d
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2019-09-14 15:45:52 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2019-09-14 15:45:52 +0000

    dev-java/itext: Remove last-rited pkg
    
    Bug: https://bugs.gentoo.org/636976
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-java/itext/Manifest                            |  4 --
 .../itext-5.5.4-OcspClientBouncyCastle.java.patch  | 15 -----
 dev-java/itext/itext-2.1.5-r2.ebuild               | 78 ----------------------
 dev-java/itext/itext-5.5.4-r2.ebuild               | 57 ----------------
 dev-java/itext/metadata.xml                        | 25 -------
 profiles/package.mask                              |  5 --
 6 files changed, 184 deletions(-)
Comment 5 Aaron Bauman (RETIRED) gentoo-dev 2019-09-15 02:28:39 UTC 
buh bye