Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 409417 (CVE-2012-0037) - <media-libs/raptor-2.0.7 : RDF XML External Entity Processing Information Disclosure Vulnerability (CVE-2012-0037)
Summary: <media-libs/raptor-2.0.7 : RDF XML External Entity Processing Information Dis...
Alias: CVE-2012-0037
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B4 [noglsa]
Depends on:
Reported: 2012-03-23 09:45 UTC by Agostino Sarubbo
Modified: 2012-04-06 19:54 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2012-03-23 09:45:39 UTC
From secunia security advisory at $URL:

The vulnerability is caused due to an error when processing XML external entities in certain XML components within an RDF document. This can be exploited to disclose the contents of arbitrary files within an RDF document by specially crafted XML entities.

The vulnerability is reported in versions prior to 2.0.7.

Update to version 2.0.7.
Comment 1 Samuli Suominen (RETIRED) gentoo-dev 2012-03-30 19:15:23 UTC
2.0.7 in Portage now but it's more than security fix. Upstream removed support for libexpat in favour of libxml2. Upstream removed internal unicode support in favour of external ICU libraries. So be careful when testing and test reverse dependencies too!

Test & stabilize:

=media-libs/raptor-2.0.7 "amd64 arm hppa ppc ppc64 x86"
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2012-04-01 17:14:34 UTC
Stable for HPPA.
Comment 3 Ian Delaney (RETIRED) gentoo-dev 2012-04-02 14:40:01 UTC
hmmm I wonder

archtester raptor # scanelf -n /usr/lib64/
ET_DYN,,,,,,,,,,, /usr/lib64/ 

libcrypto && libz again. I think it was decided zlib was in system.

archtester raptor # qfile
dev-libs/openssl (/usr/lib64/
ok net-misc/curl pulls in openssl

archtester raptor # ebuild raptor-2.0.7.ebuild clean test
>>> Source compiled.
>>> Test phase [none]: media-libs/raptor-2.0.7

amd64 all ok
Comment 4 Agostino Sarubbo gentoo-dev 2012-04-03 21:54:19 UTC
amd64 stable
Comment 5 Andreas Schürch gentoo-dev 2012-04-05 04:59:24 UTC
x86 stable, thanks.
Comment 6 Markus Meier gentoo-dev 2012-04-06 10:47:06 UTC
arm stable
Comment 7 Samuli Suominen (RETIRED) gentoo-dev 2012-04-06 19:00:20 UTC
- ppc/ppc64 stable, all arches done
- removed USE=rss from net-irc/eiwic in order to remove SLOT=0 of media-libs/raptor, not sure if this was vulnerable or not
Comment 8 Agostino Sarubbo gentoo-dev 2012-04-06 19:07:36 UTC
Thanks all.

security, please vote.
Comment 9 Tim Sammut (RETIRED) gentoo-dev 2012-04-06 19:20:44 UTC
GLSA Vote: no.
Comment 10 Sean Amoss (RETIRED) gentoo-dev Security 2012-04-06 19:54:27 UTC
GLSA vote: no.

Closing noglsa