637476 – dev-java/itext-5.5.4-r2: External entities not disabled

Bug 637476 - dev-java/itext-5.5.4-r2: External entities not disabled

Summary: dev-java/itext-5.5.4-r2: External entities not disabled

Status:	RESOLVED DUPLICATE of bug 636976

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:	https://www.compass-security.com/file...
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2017-11-14 11:58 UTC by Francis Booth
Modified:	2017-11-14 12:01 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Francis Booth 2017-11-14 11:58:06 UTC

The XML parsers in iText before 5.5.12 and 7.x before 7.0.3 do not disable external entities, which might allow remote attackers to conduct XML external entity (XXE) attacks via a crafted PDF.


~ eleix (Security Padawan)


Reproducible: Didn't try

Comment 1 Francis Booth 2017-11-14 12:01:25 UTC


*** This bug has been marked as a duplicate of bug 636976 ***