Bug 600836

Summary:	app-admin/system-tools-backends: Package uses dev-perl/XML-Twig and makes no clear statement regarding handling of external entities (CVE-2016-9180)
Product:	Gentoo Security	Reporter:	Thomas Deutschmann (RETIRED) <whissi>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED WONTFIX
Severity:	normal	CC:	lxqt
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	B3 [upstream?]
Package list:		Runtime testing required:	---
Bug Depends on:
Bug Blocks:	600818

Description Thomas Deutschmann (RETIRED) gentoo-dev

2016-11-25 17:41:41 UTC

It is suspected that this package is vulnerable to a security vulnerability due to expanding of malicious entities via dev-perl/XML-Twig. As such we ask maintainers with packages suspected to be vulnerable to verify if the package is (or have been) affected. 

Please see the information contained in the tracker bug 600818.


# grep -Fr 'Twig->new' /var/tmp/portage/app-admin/system-tools-backends-2.10.2/work/system-tools-backends-2.10.2
/var/tmp/portage/app-admin/system-tools-backends-2.10.2/work/system-tools-backends-2.10.2/Net-DBus/lib/Net/DBus/Binding/Introspector.pm:    my $twig = XML::Twig->new();


...so this is due to embedded dev-lang/Net-DBus, see bug 600824 and consider to unbundle.