Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 637476

Summary: dev-java/itext-5.5.4-r2: External entities not disabled
Product: Gentoo Security Reporter: Francis Booth <boothf>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED DUPLICATE    
Severity: normal    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://www.compass-security.com/fileadmin/Datein/Research/Advisories/CSNC-2017-017_itext_xml_external_entity_attack.txt
Whiteboard:
Package list:
Runtime testing required: ---

Description Francis Booth 2017-11-14 11:58:06 UTC
The XML parsers in iText before 5.5.12 and 7.x before 7.0.3 do not disable external entities, which might allow remote attackers to conduct XML external entity (XXE) attacks via a crafted PDF.


~ eleix (Security Padawan)


Reproducible: Didn't try
Comment 1 Francis Booth 2017-11-14 12:01:25 UTC

*** This bug has been marked as a duplicate of bug 636976 ***