Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 616474 (CVE-2017-5661) - dev-java/fop: XML external entity processing vulnerability
Summary: dev-java/fop: XML external entity processing vulnerability
Status: IN_PROGRESS
Alias: CVE-2017-5661
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B3 [ebuild/cve]
Keywords:
Depends on: 727504
Blocks:
  Show dependency tree
 
Reported: 2017-04-24 11:43 UTC by Agostino Sarubbo
Modified: 2021-06-17 06:33 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2017-04-24 11:43:04 UTC
From ${URL} :

In Apache FOP before 2.2, files lying on the filesystem of the server which uses FOP can be revealed to arbitrary users who send maliciously formed SVG files. The file types that can 
be shown depend on the user context in which the exploitable application is running. If the user is root a full compromise of the server - including confidential or sensitive files - 
would be possible. XXE can also be used to attack the availability of the server via denial of service as the references within a xml document can trivially trigger an amplification 
attack.

References:

https://xmlgraphics.apache.org/security.html
http://seclists.org/oss-sec/2017/q2/86


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Demetris Nakos (sokan) 2018-05-27 18:01:03 UTC
@maintainer(s): ping

FOP 2.3 is available (https://xmlgraphics.apache.org/fop/2.3/) which also contains the fix. 

Demetris Nakos
- Gentoo Security Padawan -
Comment 2 John Helmert III gentoo-dev Security 2020-06-10 02:29:53 UTC
Maintainer(s): Ping.

FOP is now at version 2.5 upstream. Fix for CVE-2017-5661 was released with 2.2.

https://xmlgraphics.apache.org/fop/2.5/
Comment 3 Yury German Gentoo Infrastructure gentoo-dev 2020-06-10 03:13:42 UTC
Maintainers, please update the vulnerable package, or consider removing from tree if there are no plans to update.