498866 – (CVE-2014-1626) <dev-perl/MARC-XML-1.000.300: XML External Entity privilege escalation (CVE-2014-1626)

Bug 498866 (CVE-2014-1626) - <dev-perl/MARC-XML-1.000.300: XML External Entity privilege escalation (CVE-2014-1626)

Summary: <dev-perl/MARC-XML-1.000.300: XML External Entity privilege escalation (CVE-2...

Status:	RESOLVED FIXED

Alias:	CVE-2014-1626

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal trivial (vote)
Assignee:	Gentoo Security

URL:	http://www.openwall.com/lists/oss-sec...
Whiteboard:	~1 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2014-01-22 00:32 UTC by Chris Reffett (RETIRED)
Modified:	2014-01-23 17:19 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Chris Reffett (RETIRED) gentoo-dev

2014-01-22 00:32:02 UTC

From ${URL}:
I am the maintainer of the Perl module MARC::File::XML, which is used
by various applications to manipulate a metadata format used by
libraries, and would like to request the allocation of a CVE
identifier for an XXE vulnerability that is fixed in version 1.0.2 of
the module.  I have evidence that the vulnerability can be used in at
least one F/LOSS integrated library system, Koha, to perform an
application-level privilege escalation, and another one, Evergreen, is
likely vulnerable to disclosure of the contents of arbitrary files on
the server.  I am a committer to both of those projects.

@maintainers: version bump required.

Comment 1 Chris Reffett (RETIRED) gentoo-dev

2014-01-22 00:33:46 UTC

Guessing this as ~1 due to the priv escalation.

Comment 2 Mikle Kolyada (RETIRED) archtester

2014-01-23 17:19:03 UTC

Unaffected version in the tree. Cleanup done. No affected version stable, closed as [noglsa].