Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Fri, 4 Nov 2016 03:05:16 -0400
From: <cve-assign@...re.org>
To: <dmoppert@...hat.com>
CC: <cve-assign@...re.org>, <oss-security@...ts.openwall.com>
Subject: Re: CVE request:  XXE in perl Image::Info and XML::Twig

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

>> XML-Twig: expand_external_ents fails to work as documented

> https://rt.cpan.org/Public/Bug/Display.html?id=118097
> https://bugzilla.redhat.com/show_bug.cgi?id=1379553

> This option (which defaults to 0) is supposed to control XXE parsing
> documents with XML::Twig, but it has no effect and XXE always takes
> place.

Use CVE-2016-9180.


>> Image-Info: XXE in SVG files

> https://rt.cpan.org/Public/Bug/Display.html?id=118099
> https://bugzilla.redhat.com/show_bug.cgi?id=1379556
> 
> This was promptly fixed in 1.38_50 / 1.39.

Use CVE-2016-9181.

118099 suggests that this was exploitable only when XML::LibXML was installed,
but the CVE is for Image::Info::SVG, not for XML::LibXML.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJYHDIEAAoJEHb/MwWLVhi2cowP/3KQY1byhquXjsu4Nem8qz4H
Tb7YWpeCUxIKbrqA60DEVfPKY0ges1vQ1JCzYlElU3/VAMe7ZWrTAnuxwangQCZI
RZcVMDOcdJJGSjOyPUhdr2MLbCwl0U8U6z2ZeLGJh1aN6DqcE4XZtmNbjPNU7ea/
uvEzHZEh5SL0tyM30fCrSsPARqYtlbMt0o6uPbfg9wi71Pkcmz+451CF8BhM8bdl
mLd7EWQHxHnF4Y3kSCYkLsAULDTgGEzu97i+m68nkwPII8EpwjKF1wXbRKgU2fjA
bgTYC7j/em9VYHAjVzPKTwIJ0MiAsqS+HDywyoqc6uCgV0OQ8qaKvBu4v3d28tbt
HyBKWK/cMwYSGg6hiOsfrGU8mSk3mKD9NFgdHjllnS12Xo6QHln9BXfUnhZDRzMt
PuOtBeq7jWsSCp1C0dbwMpPD2zCHlaHmSwBabk2s1F7GQtgZogM5bZZxO1099b1D
Lq+BOpDRwezSOKcu1ITRO1qUJ63ECtvUK1K/9Lv/AWFkXVANoBEv0tlABmsj2WUB
zIy0bOQo7a8n8lRY/ECJvK/C3HLQU2RPdE0lXw2bldr+MSNhV1zNoQypJgzxwxtT
5TFsQXMwrJ91vJmRH2gjNykX74ItPcOppL+ws2yAv1ZVTaxDbUk5yhSj7JFbkuUQ
rpHTnlXvLA8UmaYREUnj
=M28z
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.