Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 600830 - media-tv/xmltv: Package uses dev-perl/XML-Twig and makes no clear statement regarding handling of external entities (CVE-2016-9180)
Summary: media-tv/xmltv: Package uses dev-perl/XML-Twig and makes no clear statement r...
Status: RESOLVED WONTFIX
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [upstream?]
Keywords:
Depends on:
Blocks: 600818
  Show dependency tree
 
Reported: 2016-11-25 17:34 UTC by Thomas Deutschmann (RETIRED)
Modified: 2019-08-25 01:34 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann (RETIRED) gentoo-dev 2016-11-25 17:34:04 UTC 
It is suspected that this package is vulnerable to a security vulnerability due to expanding of malicious entities via dev-perl/XML-Twig. As such we ask maintainers with packages suspected to be vulnerable to verify if the package is (or have been) affected. 

Please see the information contained in the tracker bug 600818.


# grep -Fr 'Twig->new' /var/tmp/portage/media-tv/xmltv-0.5.68/work/xmltv-0.5.68
/var/tmp/portage/media-tv/xmltv-0.5.68/work/xmltv-0.5.68/grab/na_icons/tv_grab_na_icons.in:my $twig=XML::Twig->new(
/var/tmp/portage/media-tv/xmltv-0.5.68/work/xmltv-0.5.68/grab/na_dd/tv_grab_na_dd.in:my $twig=XML::Twig->new(
Comment 1 D'juan McDonald (domhnall) 2017-09-20 08:49:29 UTC 
Tested on 9/20/2017 --- all version in tree + 0.5.69
-------------------------------------------------------
developer / # grep -Fr 'use XML::' xmltv-0.5.57 <package>
=================================================================
xmltv-0.5.57/lib/Lineup.pm.in:use XML::Twig; (possible issue here)
=================================================================

xmltv-0.5.57/grab/na_icons/tv_grab_na_icons.in:use XML::Twig 3.28;
xmltv-0.5.57/grab/na_icons/tv_grab_na_icons.in:my $twig=XML::Twig->new(
 
==================================================================================
xmltv-0.5.57/grab/eu_epgdata/tv_grab_eu_epgdata:use XML::Twig; (possible issue here)
====================================================================================

xmltv-0.5.57/grab/na_dd/tv_grab_na_dd.in:use XML::Twig 3.10;
xmltv-0.5.57/grab/na_dd/tv_grab_na_dd.in:my $twig=XML::Twig->new(
xmltv-0.5.57/grab/na_dd/tv_grab_na_dd.in:                                  my $twig=$_;

=================================================================
xmltv-0.5.57/lib/XMLTV.pm.in:use XML::Twig; (possible issue here)
=================================================================

xmltv-0.5.57/choose/tv_check/tv_check:use XML::Twig;
xmltv-0.5.57/choose/tv_check/tv_check:    my $twig = new XML::Twig(TwigHandlers =>
----------------------------------------------------------------------------------------------------------
developer / # grep -Fr 'use XML::Twig' xmltv-0.5.67 <package>

xmltv-0.5.67/choose/tv_check/tv_check:use XML::Twig;
xmltv-0.5.67/choose/tv_check/tv_check:    my $twig = new XML::Twig(TwigHandlers =>
==========================================
xmltv-0.5.67/lib/XMLTV.pm.in:use XML::Twig; (possible issue)
==========================================
=============================================================
xmltv-0.5.67/grab/eu_epgdata/tv_grab_eu_epgdata:use XML::Twig; (possible issue)
===============================================================

xmltv-0.5.67/grab/na_dd/tv_grab_na_dd.in:use XML::Twig 3.10;
xmltv-0.5.67/grab/na_dd/tv_grab_na_dd.in:my $twig=XML::Twig->new( 

xmltv-0.5.67/grab/na_icons/tv_grab_na_icons.in:use XML::Twig 3.28;
xmltv-0.5.67/grab/na_icons/tv_grab_na_icons.in:my $twig=XML::Twig->new(
--------------------------------------------------------------------------------------------------------
developer / # grep -Fr 'use XML::Twig' xmltv-0.5.68 <package>

xmltv-0.5.68/choose/tv_check/tv_check:use XML::Twig;
xmltv-0.5.68/lib/XMLTV.pm.in:use XML::Twig;
xmltv-0.5.68/grab/eu_epgdata/tv_grab_eu_epgdata:use XML::Twig;
xmltv-0.5.68/grab/na_dd/tv_grab_na_dd.in:use XML::Twig 3.10;
xmltv-0.5.68/grab/na_icons/tv_grab_na_icons.in:use XML::Twig 3.28;

========
developer / # grep -Fr 'my $twig' xmltv-0.5.68

xmltv-0.5.68/choose/tv_check/tv_check:    my $twig = new XML::Twig(TwigHandlers =>
xmltv-0.5.68/grab/na_dd/tv_grab_na_dd.in:my $twig=XML::Twig->new(   
xmltv-0.5.68/grab/na_dd/tv_grab_na_dd.in:                                  my $twig=$_;
xmltv-0.5.68/grab/na_icons/tv_grab_na_icons.in:my $twig=XML::Twig->new(   
=======================================================================================
developer / # grep -Fr 'use XML::Twig' xmltv-0.5.69 <package>

xmltv-0.5.69/choose/tv_check/tv_check:use XML::Twig;
==========================================================
xmltv-0.5.69/lib/XMLTV.pm.in:use XML::Twig;(possible issue)
===========================================================
xmltv-0.5.69/grab/eu_epgdata/tv_grab_eu_epgdata:use XML::Twig;(possible issue)
=============================================================
xmltv-0.5.69/grab/na_dd/tv_grab_na_dd.in:use XML::Twig 3.10;
xmltv-0.5.69/grab/na_icons/tv_grab_na_icons.in:use XML::Twig 3.28;
===
developer / # grep -Fr 'my $twig' xmltv-0.5.69

xmltv-0.5.69/choose/tv_check/tv_check:    my $twig = new XML::Twig(TwigHandlers =>
xmltv-0.5.69/grab/na_dd/tv_grab_na_dd.in:my $twig=XML::Twig->new(   
xmltv-0.5.69/grab/na_dd/tv_grab_na_dd.in:                                  my $twig=$_;
xmltv-0.5.69/grab/na_icons/tv_grab_na_icons.in:my $twig=XML::Twig->new(   


Daj Uan (jmbailey)
Gentoo Security Padawan
Comment 2 Jason Miller 2018-02-07 19:15:30 UTC 
So, I'm not sure how to proceed here.  The xml parsed is from a paid subscription service, but it's not beyond imagining that external elements could be injected some how.