779475 – (CVE-2021-46849) <dev-python/pikepdf-2.10.0: XML External Entity (XXE) processing vulnerability in PDF XMP metadata parsing

Bug 779475 (CVE-2021-46849) - <dev-python/pikepdf-2.10.0: XML External Entity (XXE) processing vulnerability in PDF XMP metadata parsing

Summary: <dev-python/pikepdf-2.10.0: XML External Entity (XXE) processing vulnerabilit...

Status:	RESOLVED FIXED

Alias:	CVE-2021-46849

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	B4 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2021-03-31 07:26 UTC by Michał Górny
Modified:	2022-10-24 13:51 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michał Górny archtester

2021-03-31 07:26:47 UTC

+v2.10.0
+=======
+
+-  Fixed a XML External Entity (XXE) processing vulnerability in PDF XMP metadata
+   parsing. (Reported by Eric Therond of Sonarsource.) All users should upgrade
+   to get this security update.

Comment 1 NATTkA bot gentoo-dev

2021-03-31 07:28:52 UTC Comment hidden (obsolete)

Unable to check for sanity:

> no match for package: dev-python/pikepdf-2.10.0

Comment 2 NATTkA bot gentoo-dev

2021-03-31 10:16:57 UTC Comment hidden (obsolete)

All sanity-check issues have been resolved

Comment 3 Sam James archtester

2021-04-02 14:10:59 UTC

amd64 done

all arches done

Comment 4 John Helmert III archtester

2021-04-02 17:00:26 UTC

Please cleanup.

Comment 5 Larry the Git Cow gentoo-dev

2021-04-02 17:08:35 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=87de46fbf3911c116b8794d6dcc01882ec1ecbe2

commit 87de46fbf3911c116b8794d6dcc01882ec1ecbe2
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2021-04-02 17:07:10 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2021-04-02 17:08:07 +0000

    dev-python/pikepdf: Remove old
    
    Bug: https://bugs.gentoo.org/779475
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-python/pikepdf/Manifest                |  3 --
 dev-python/pikepdf/pikepdf-2.7.0.ebuild    | 47 ---------------------------
 dev-python/pikepdf/pikepdf-2.8.0_p2.ebuild | 51 ------------------------------
 dev-python/pikepdf/pikepdf-2.9.2.ebuild    | 51 ------------------------------
 4 files changed, 152 deletions(-)

Comment 6 NATTkA bot gentoo-dev

2021-07-29 17:23:22 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 7 NATTkA bot gentoo-dev

2021-07-29 17:31:43 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 8 NATTkA bot gentoo-dev

2021-07-29 17:39:39 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 9 NATTkA bot gentoo-dev

2021-07-29 17:47:50 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 10 NATTkA bot gentoo-dev

2021-07-29 18:03:46 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 11 NATTkA bot gentoo-dev

2021-07-29 18:12:04 UTC

Package list is empty or all packages have requested keywords.

Comment 12 Michał Górny archtester

2022-10-22 15:29:53 UTC

I think we can noglsa it and resolve after this 1.5 yr.

Comment 13 John Helmert III archtester

2022-10-22 17:02:35 UTC

Sure, thanks!