| Summary: | perl-Image-Info new external entity expansion security issue (CVE-2016-9181) | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | davidwhodgins, herman.viaene, lewyssmith, mageia, nathan95, sysadmin-bugs |
| Version: | 5 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/704702/ | ||
| Whiteboard: | advisory MGA5-64-OK MGA5-32-OK | ||
| Source RPM: | perl-Image-Info-1.380.0-3.mga6.src.rpm | CVE: | |
| Status comment: | |||
| Attachments: | Crude script to drive perl-Image-Info | ||
|
Description
David Walser
2016-10-27 14:34:31 CEST
This has been assigned CVE-2016-9181: http://openwall.com/lists/oss-security/2016/11/04/2 Summary:
perl-Image-Info new external entity expansion security issue =>
perl-Image-Info new external entity expansion security issue (CVE-2016-9181) perl-Image-Info-1.380.0-4.mga6 uploaded for Cauldron by Nicolas. Mageia 5 update fails to build so far. Nicolas, please note that you got the CVE number wrong in the commit messages. CC:
(none) =>
mageia openSUSE has issued an advisory for this today (March 11): https://lists.opensuse.org/opensuse-updates/2017-03/msg00028.html I have uploaded a patched package for Mageia 5. Not sure how to test it, but when I ran the test from github during building it only succeeded when the patch was applied. Suggested advisory: ======================== Updated perl-Image-Info package fixes the following security vulnerability: A crafted SVG file could have caused information disclosure or denial of service by using external entitity expansion (XXE). This is a potentially incompatible change; however usually SVG files do not rely on XXE. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9181 ======================== Updated packages in core/updates_testing: ======================== perl-Image-Info-1.360.0-4.1.mga5 Source RPM: perl-Image-Info-1.360.0-4.1.mga5.src.rpm Assignee:
mageia =>
qa-bugs Thanks Sander! Suggested advisory: ======================== Updated perl-Image-Info package fixes security vulnerability: A crafted SVG file could have caused information disclosure or denial of service by using external entitity expansion (XXE). This is a potentially incompatible change; however usually SVG files do not rely on XXE (CVE-2016-9181). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9181 https://lists.opensuse.org/opensuse-updates/2017-03/msg00028.html MGA5-32 on Asus A6000VM Xfce No installation issues. # urpmq --whatrequires perl-Image-Info perl-Graph-Easy-As_svg perl-Image-Info perl-Image-Info and # urpmq --whatrequires perl-Graph-Easy-As_svg perl-Graph-Easy-As_svg The README in /usr/share/doc/perl-Image-Info/ contains some info on its usage, but that's beyond me. CC:
(none) =>
herman.viaene
Dave Hodgins
2017-05-21 03:29:58 CEST
CC:
(none) =>
davidwhodgins It looks as if, rather than tackling perl-Graph-Easy-As_svg (http://bloodgate.com/perl/graph/manual/), hperl-Image-Info would be simpler: " This Perl extension allows you to extract meta information from various types of image files. The following file formats are supported: JPEG (plain JFIF and Exif) PNG GIF PBM/PGM/PPM SVG XBM/XPM BMP/DIB/RLE Usage is something like this: use Image::Info qw(image_info); @info = image_info("filename"); $refto_hash_describing_1st_image = $info[0]; $refto_hash_describing_2nd_image = $info[1]; " Can find no PoC. "the CVE is for Image::Info::SVG"; "A crafted SVG file..." indicate that .svg files [using external entitity expansion (XXE)] are at issue. Will play a little (x64). CC:
(none) =>
lewyssmith Testing M5_64 BEFORE update: perl-Image-Info-1.360.0-4.mga5 I wrote (with help) a crude script to use directly perl-Image-Info (will attach it) which I ran on image types .jpg .png .svg ; it yielded sensible output. UPDATED to: perl-Image-Info-1.360.0-4.1.mga5 Using the script on the same images as before gave essentially identical results. On this basis alone, giving the OK. Whiteboard:
advisory =>
advisory MGA5-64-OK Created attachment 9339 [details]
Crude script to drive perl-Image-Info
This script just uses perl-Image-Info to give some info about images. Usage:
$ <scriptname> <image filename>
The script is no model of elegant Perl, but it works. If >1 image is returned [how?] it only does the first.
nathan giovannini
2017-05-28 14:02:25 CEST
CC:
(none) =>
nathan95
nathan giovannini
2017-05-28 14:39:42 CEST
Keywords:
(none) =>
validated_update An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0151.html Status:
NEW =>
RESOLVED Further to comment 9 and the attached script, here are two alternative (and purer) suggestions for accessing *directly* elements of a hash from its reference; rather than copying the entire hash: 1) Returns one by one key/value pairs: while (my ($key, $val) = each(%{ $hashRef })) { } 2) Returns all the keys, then the values (in the same order) in the hash: @keysArray = keys(%{ $hashRef }); @valuesArray = values (%{ $hashRef }); I add this note for reference to aid future testing of Perl packages which return a reference to a hash array. |