It is suspected that this package is vulnerable to a security vulnerability due to expanding of malicious entities via dev-perl/XML-Twig. As such we ask maintainers with packages suspected to be vulnerable to verify if the package is (or have been) affected. Please see the information contained in the tracker bug 600818. # grep -Fr 'Twig->new' /var/tmp/portage/media-tv/xmltv-0.5.68/work/xmltv-0.5.68 /var/tmp/portage/media-tv/xmltv-0.5.68/work/xmltv-0.5.68/grab/na_icons/tv_grab_na_icons.in:my $twig=XML::Twig->new( /var/tmp/portage/media-tv/xmltv-0.5.68/work/xmltv-0.5.68/grab/na_dd/tv_grab_na_dd.in:my $twig=XML::Twig->new(
Tested on 9/20/2017 --- all version in tree + 0.5.69 ------------------------------------------------------- developer / # grep -Fr 'use XML::' xmltv-0.5.57 <package> ================================================================= xmltv-0.5.57/lib/Lineup.pm.in:use XML::Twig; (possible issue here) ================================================================= xmltv-0.5.57/grab/na_icons/tv_grab_na_icons.in:use XML::Twig 3.28; xmltv-0.5.57/grab/na_icons/tv_grab_na_icons.in:my $twig=XML::Twig->new( ================================================================================== xmltv-0.5.57/grab/eu_epgdata/tv_grab_eu_epgdata:use XML::Twig; (possible issue here) ==================================================================================== xmltv-0.5.57/grab/na_dd/tv_grab_na_dd.in:use XML::Twig 3.10; xmltv-0.5.57/grab/na_dd/tv_grab_na_dd.in:my $twig=XML::Twig->new( xmltv-0.5.57/grab/na_dd/tv_grab_na_dd.in: my $twig=$_; ================================================================= xmltv-0.5.57/lib/XMLTV.pm.in:use XML::Twig; (possible issue here) ================================================================= xmltv-0.5.57/choose/tv_check/tv_check:use XML::Twig; xmltv-0.5.57/choose/tv_check/tv_check: my $twig = new XML::Twig(TwigHandlers => ---------------------------------------------------------------------------------------------------------- developer / # grep -Fr 'use XML::Twig' xmltv-0.5.67 <package> xmltv-0.5.67/choose/tv_check/tv_check:use XML::Twig; xmltv-0.5.67/choose/tv_check/tv_check: my $twig = new XML::Twig(TwigHandlers => ========================================== xmltv-0.5.67/lib/XMLTV.pm.in:use XML::Twig; (possible issue) ========================================== ============================================================= xmltv-0.5.67/grab/eu_epgdata/tv_grab_eu_epgdata:use XML::Twig; (possible issue) =============================================================== xmltv-0.5.67/grab/na_dd/tv_grab_na_dd.in:use XML::Twig 3.10; xmltv-0.5.67/grab/na_dd/tv_grab_na_dd.in:my $twig=XML::Twig->new( xmltv-0.5.67/grab/na_icons/tv_grab_na_icons.in:use XML::Twig 3.28; xmltv-0.5.67/grab/na_icons/tv_grab_na_icons.in:my $twig=XML::Twig->new( -------------------------------------------------------------------------------------------------------- developer / # grep -Fr 'use XML::Twig' xmltv-0.5.68 <package> xmltv-0.5.68/choose/tv_check/tv_check:use XML::Twig; xmltv-0.5.68/lib/XMLTV.pm.in:use XML::Twig; xmltv-0.5.68/grab/eu_epgdata/tv_grab_eu_epgdata:use XML::Twig; xmltv-0.5.68/grab/na_dd/tv_grab_na_dd.in:use XML::Twig 3.10; xmltv-0.5.68/grab/na_icons/tv_grab_na_icons.in:use XML::Twig 3.28; ======== developer / # grep -Fr 'my $twig' xmltv-0.5.68 xmltv-0.5.68/choose/tv_check/tv_check: my $twig = new XML::Twig(TwigHandlers => xmltv-0.5.68/grab/na_dd/tv_grab_na_dd.in:my $twig=XML::Twig->new( xmltv-0.5.68/grab/na_dd/tv_grab_na_dd.in: my $twig=$_; xmltv-0.5.68/grab/na_icons/tv_grab_na_icons.in:my $twig=XML::Twig->new( ======================================================================================= developer / # grep -Fr 'use XML::Twig' xmltv-0.5.69 <package> xmltv-0.5.69/choose/tv_check/tv_check:use XML::Twig; ========================================================== xmltv-0.5.69/lib/XMLTV.pm.in:use XML::Twig;(possible issue) =========================================================== xmltv-0.5.69/grab/eu_epgdata/tv_grab_eu_epgdata:use XML::Twig;(possible issue) ============================================================= xmltv-0.5.69/grab/na_dd/tv_grab_na_dd.in:use XML::Twig 3.10; xmltv-0.5.69/grab/na_icons/tv_grab_na_icons.in:use XML::Twig 3.28; === developer / # grep -Fr 'my $twig' xmltv-0.5.69 xmltv-0.5.69/choose/tv_check/tv_check: my $twig = new XML::Twig(TwigHandlers => xmltv-0.5.69/grab/na_dd/tv_grab_na_dd.in:my $twig=XML::Twig->new( xmltv-0.5.69/grab/na_dd/tv_grab_na_dd.in: my $twig=$_; xmltv-0.5.69/grab/na_icons/tv_grab_na_icons.in:my $twig=XML::Twig->new( Daj Uan (jmbailey) Gentoo Security Padawan
So, I'm not sure how to proceed here. The xml parsed is from a paid subscription service, but it's not beyond imagining that external elements could be injected some how.