Summary: | [TRACKER] Package uses dev-perl/XML-Twig and makes no clear statement regarding handling of external entities (CVE-2016-9180) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Thomas Deutschmann (RETIRED) <whissi> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | kentnl, slawomir.nizio |
Priority: | Normal | Keywords: | Tracker |
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 598764, 600820, 600822, 600824, 600826, 600828, 600830, 600834, 600836, 600840, 600842, 600844, 631592, 631602 | ||
Bug Blocks: |
Description
Thomas Deutschmann (RETIRED)
2016-11-25 16:46:19 UTC
As hint: Grep the source code for "Twig->new". If you see that the code will set the "no_xxe" option we can be sure that the author is aware of the problem and is handling entities on purpose. If you cannot find the new option check if the code will get in touch with XML input which cannot be trusted or better bring this to upstream's attention. (In reply to Thomas Deutschmann from comment #1) > As hint: > > Grep the source code for "Twig->new". Also grep for: Twig::new And new XML::Twig Because of course there's 3 different syntax for that. ( And the last of these was even recommended once upon a time https://metacpan.org/pod/release/MIROD/XML-Twig-2.02/Twig.pm#SYNOPSIS ) |