Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 498866 (CVE-2014-1626) - <dev-perl/MARC-XML-1.000.300: XML External Entity privilege escalation (CVE-2014-1626)
Summary: <dev-perl/MARC-XML-1.000.300: XML External Entity privilege escalation (CVE-2...
Alias: CVE-2014-1626
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
Whiteboard: ~1 [noglsa]
Depends on:
Reported: 2014-01-22 00:32 UTC by Chris Reffett (RETIRED)
Modified: 2014-01-23 17:19 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Chris Reffett (RETIRED) gentoo-dev Security 2014-01-22 00:32:02 UTC
From ${URL}:
I am the maintainer of the Perl module MARC::File::XML, which is used
by various applications to manipulate a metadata format used by
libraries, and would like to request the allocation of a CVE
identifier for an XXE vulnerability that is fixed in version 1.0.2 of
the module.  I have evidence that the vulnerability can be used in at
least one F/LOSS integrated library system, Koha, to perform an
application-level privilege escalation, and another one, Evergreen, is
likely vulnerable to disclosure of the contents of arbitrary files on
the server.  I am a committer to both of those projects.

@maintainers: version bump required.
Comment 1 Chris Reffett (RETIRED) gentoo-dev Security 2014-01-22 00:33:46 UTC
Guessing this as ~1 due to the priv escalation.
Comment 2 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2014-01-23 17:19:03 UTC
Unaffected version in the tree. Cleanup done. No affected version stable, closed as [noglsa].