Bug 600840

Summary:	dev-perl/Lab-Measurement: Package uses dev-perl/XML-Twig and makes no clear statement regarding handling of external entities (CVE-2016-9180)
Product:	Gentoo Security	Reporter:	Thomas Deutschmann (RETIRED) <whissi>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED OBSOLETE
Severity:	normal	CC:	dilfridge, kentnl, sci
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://github.com/lab-measurement/lab-measurement/issues/9
Whiteboard:	B3 [upstream?]
Package list:		Runtime testing required:	---
Bug Depends on:
Bug Blocks:	600818

Description Thomas Deutschmann (RETIRED) gentoo-dev

2016-11-25 17:47:08 UTC

It is suspected that this package is vulnerable to a security vulnerability due to expanding of malicious entities via dev-perl/XML-Twig. As such we ask maintainers with packages suspected to be vulnerable to verify if the package is (or have been) affected. 

Please see the information contained in the tracker bug 600818.


# grep -Fr 'Twig->new' /var/tmp/portage/dev-perl/Lab-Measurement-3.531.0/work/Lab-Measurement-3.531
/var/tmp/portage/dev-perl/Lab-Measurement-3.531.0/work/Lab-Measurement-3.531/lib/Lab/Data/XMLtree.pm:    my $t = XML::Twig->new(

Comment 1 D'juan McDonald (domhnall) 2017-09-20 08:31:02 UTC

hi, I tested on 9/19/2017 -- 

developer / # grep -Fr 'use XML::Twig' Lab-Measurement-3.554
developer / #

Further upstream removed  Lab::Data::XMLtree from package as it is deprecated.

Package dev-perl/Lab-Measurement-3.550 is in tree. Seems ready for bump?

Comment 2 Kent Fredric (IRC: kent\n) (RETIRED) gentoo-dev

2018-03-24 08:31:02 UTC

No versions of Lab-Measurement in tree mention XML-Tree anymore. Last versions removed 2017-11-29