Bug 600818

Summary:	[TRACKER] Package uses dev-perl/XML-Twig and makes no clear statement regarding handling of external entities (CVE-2016-9180)
Product:	Gentoo Security	Reporter:	Thomas Deutschmann (RETIRED) <whissi>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	kentnl, slawomir.nizio
Priority:	Normal	Keywords:	Tracker
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:
Package list:		Runtime testing required:	---
Bug Depends on:	598764, 600820, 600822, 600824, 600826, 600828, 600830, 600834, 600836, 600840, 600842, 600844, 631592, 631602
Bug Blocks:

Description Thomas Deutschmann (RETIRED) gentoo-dev

2016-11-25 16:46:19 UTC

See also bug 598764 regarding the problem in dev-perl/XML-Twig which caused external entities to always expand which can be a problem in case the input XML cannot be trusted, i.e. an entity like

C<< <!ENTITY xxe PUBLIC "bar" "/etc/passwd"> >>

could make the password field available in the document.


As such we ask maintainers with packages suspected to be vulnerable to verify if the package is (or have been) affected.

Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev

2016-11-25 16:50:33 UTC

As hint:

Grep the source code for "Twig->new". If you see that the code will set the "no_xxe" option we can be sure that the author is aware of the problem and is handling entities on purpose.

If you cannot find the new option check if the code will get in touch with XML input which cannot be trusted or better bring this to upstream's attention.

Comment 2 Kent Fredric (IRC: kent\n) (RETIRED) gentoo-dev

2016-11-26 02:11:45 UTC

(In reply to Thomas Deutschmann from comment #1)
> As hint:
> 
> Grep the source code for "Twig->new". 

Also grep for:

  Twig::new

And

   new XML::Twig

Because of course there's 3 different syntax for that. ( And the last of these was even recommended once upon a time https://metacpan.org/pod/release/MIROD/XML-Twig-2.02/Twig.pm#SYNOPSIS )