oss-sec mailing list archives
Re: CVE request: XXE in perl Image::Info and XML::Twig
From: <cve-assign () mitre org>
Date: Fri, 4 Nov 2016 03:05:16 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
XML-Twig: expand_external_ents fails to work as documented
https://rt.cpan.org/Public/Bug/Display.html?id=118097 https://bugzilla.redhat.com/show_bug.cgi?id=1379553
This option (which defaults to 0) is supposed to control XXE parsing documents with XML::Twig, but it has no effect and XXE always takes place.
Use CVE-2016-9180.
Image-Info: XXE in SVG files
https://rt.cpan.org/Public/Bug/Display.html?id=118099 https://bugzilla.redhat.com/show_bug.cgi?id=1379556 This was promptly fixed in 1.38_50 / 1.39.
Use CVE-2016-9181. 118099 suggests that this was exploitable only when XML::LibXML was installed, but the CVE is for Image::Info::SVG, not for XML::LibXML. - -- CVE Assignment Team M/S M300, 202 Burlington Road, Bedford, MA 01730 USA [ A PGP key is available for encrypted communications at http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJYHDIEAAoJEHb/MwWLVhi2cowP/3KQY1byhquXjsu4Nem8qz4H Tb7YWpeCUxIKbrqA60DEVfPKY0ges1vQ1JCzYlElU3/VAMe7ZWrTAnuxwangQCZI RZcVMDOcdJJGSjOyPUhdr2MLbCwl0U8U6z2ZeLGJh1aN6DqcE4XZtmNbjPNU7ea/ uvEzHZEh5SL0tyM30fCrSsPARqYtlbMt0o6uPbfg9wi71Pkcmz+451CF8BhM8bdl mLd7EWQHxHnF4Y3kSCYkLsAULDTgGEzu97i+m68nkwPII8EpwjKF1wXbRKgU2fjA bgTYC7j/em9VYHAjVzPKTwIJ0MiAsqS+HDywyoqc6uCgV0OQ8qaKvBu4v3d28tbt HyBKWK/cMwYSGg6hiOsfrGU8mSk3mKD9NFgdHjllnS12Xo6QHln9BXfUnhZDRzMt PuOtBeq7jWsSCp1C0dbwMpPD2zCHlaHmSwBabk2s1F7GQtgZogM5bZZxO1099b1D Lq+BOpDRwezSOKcu1ITRO1qUJ63ECtvUK1K/9Lv/AWFkXVANoBEv0tlABmsj2WUB zIy0bOQo7a8n8lRY/ECJvK/C3HLQU2RPdE0lXw2bldr+MSNhV1zNoQypJgzxwxtT 5TFsQXMwrJ91vJmRH2gjNykX74ItPcOppL+ws2yAv1ZVTaxDbUk5yhSj7JFbkuUQ rpHTnlXvLA8UmaYREUnj =M28z -----END PGP SIGNATURE-----
Current thread:
- CVE request: XXE in perl Image::Info and XML::Twig Doran Moppert (Nov 01)
- Re: CVE request: XXE in perl Image::Info and XML::Twig cve-assign (Nov 04)