Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 616474 (CVE-2017-5661)

Summary: <dev-java/fop-2.3: XML external entity processing vulnerability
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: minor CC: ajak, java
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [glsa? cve]
Package list:
Runtime testing required: ---
Bug Depends on: 834482    
Bug Blocks:    

Description Agostino Sarubbo gentoo-dev 2017-04-24 11:43:04 UTC
From ${URL} :

In Apache FOP before 2.2, files lying on the filesystem of the server which uses FOP can be revealed to arbitrary users who send maliciously formed SVG files. The file types that can 
be shown depend on the user context in which the exploitable application is running. If the user is root a full compromise of the server - including confidential or sensitive files - 
would be possible. XXE can also be used to attack the availability of the server via denial of service as the references within a xml document can trivially trigger an amplification 


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Dimitris Nakos (sokan) 2018-05-27 18:01:03 UTC
@maintainer(s): ping

FOP 2.3 is available ( which also contains the fix. 

Demetris Nakos
- Gentoo Security Padawan -
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-06-10 02:29:53 UTC
Maintainer(s): Ping.

FOP is now at version 2.5 upstream. Fix for CVE-2017-5661 was released with 2.2.
Comment 3 Yury German Gentoo Infrastructure gentoo-dev 2020-06-10 03:13:42 UTC
Maintainers, please update the vulnerable package, or consider removing from tree if there are no plans to update.
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-05-14 01:47:14 UTC