Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 600844

Summary: www-apps/bugzilla: Package uses dev-perl/XML-Twig and makes no clear statement regarding handling of external entities (CVE-2016-9180)
Product: Gentoo Security Reporter: Thomas Deutschmann (RETIRED) <whissi>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED WONTFIX    
Severity: normal CC: craig, web-apps
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [upstream?]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 600818    

Description Thomas Deutschmann (RETIRED) gentoo-dev 2016-11-25 17:54:45 UTC 
It is suspected that this package is vulnerable to a security vulnerability due to expanding of malicious entities via dev-perl/XML-Twig. As such we ask maintainers with packages suspected to be vulnerable to verify if the package is (or have been) affected. 

Please see the information contained in the tracker bug 600818.


 # grep -Fr 'Twig->new' /var/tmp/portage/www-apps/bugzilla-5.0.3/work/bugzilla-5.0.3
/var/tmp/portage/www-apps/bugzilla-5.0.3/work/bugzilla-5.0.3/Bugzilla/Update.pm:    my $twig = XML::Twig->new();
/var/tmp/portage/www-apps/bugzilla-5.0.3/work/bugzilla-5.0.3/importxml.pl:my $twig = XML::Twig->new(