[Secure-testing-commits] r45964 - data/CVE
Salvatore Bonaccorso
carnil at moszumanska.debian.org
Fri Nov 4 07:29:20 UTC 2016
Author: carnil
Date: 2016-11-04 07:29:19 +0000 (Fri, 04 Nov 2016)
New Revision: 45964
Modified:
data/CVE/list
Log:
Expand note for CVE-2016-9181
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2016-11-04 07:20:34 UTC (rev 45963)
+++ data/CVE/list 2016-11-04 07:29:19 UTC (rev 45964)
@@ -34,11 +34,17 @@
RESERVED
CVE-2016-9181 [Image-Info: XXE in SVG files]
- libimage-info-perl 1.39-1 (bug #842891)
- [jessie] - libimage-info-perl <no-dsa> (Minor issue; could be fixed via point release)
+ [jessie] - libimage-info-perl <no-dsa> (Minor issue)
NOTE: https://rt.cpan.org/Public/Bug/Display.html?id=118099
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1379556
NOTE: Upstream commit: https://github.com/eserte/image-info/commit/781625b643bc05ba92127a4554de7910f3f2f8e6
NOTE: http://www.openwall.com/lists/oss-security/2016/11/02/1
+ NOTE: Older versions of libimage-info-perl only can use XML::Simple.
+ NOTE: Controlling XXE processing behavior in XML::Simple is not really
+ NOTE: possible (see https://rt.cpan.org/Ticket/Display.html?id=83794),
+ NOTE: so as a workaround the underlying SAX parser is fixed to
+ NOTE: XML::SAX::PurePerl which is uncapable of processing external entities
+ NOTE: but unfortunately it is also a slow parser.
CVE-2016-9180 [XML-Twig: expand_external_ents fails to work as documented]
- libxml-twig-perl <unfixed> (bug #842893)
NOTE: https://rt.cpan.org/Public/Bug/Display.html?id=118097
More information about the Secure-testing-commits
mailing list