Bug 19669 - perl-Image-Info new external entity expansion security issue (CVE-2016-9181)
Summary: perl-Image-Info new external entity expansion security issue (CVE-2016-9181)
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/704702/
Whiteboard: advisory MGA5-64-OK MGA5-32-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2016-10-27 14:34 CEST by David Walser
Modified: 2017-06-06 11:48 CEST (History)
6 users (show)

See Also:
Source RPM: perl-Image-Info-1.380.0-3.mga6.src.rpm
CVE:
Status comment:


Attachments
Crude script to drive perl-Image-Info (512 bytes, text/plain)
2017-05-26 18:47 CEST, Lewis Smith
Details

Comment 1 David Walser 2016-11-04 15:25:15 CET
This has been assigned CVE-2016-9181:
http://openwall.com/lists/oss-security/2016/11/04/2
Comment 2 David Walser 2016-11-16 19:16:12 CET
perl-Image-Info-1.380.0-4.mga6 uploaded for Cauldron by Nicolas.

Mageia 5 update fails to build so far.

Nicolas, please note that you got the CVE number wrong in the commit messages.
Comment 3 David Walser 2017-03-11 17:01:42 CET
openSUSE has issued an advisory for this today (March 11):
https://lists.opensuse.org/opensuse-updates/2017-03/msg00028.html
Comment 4 Sander Lepik 2017-05-12 20:07:13 CEST
I have uploaded a patched package for Mageia 5.

Not sure how to test it, but when I ran the test from github during building it only succeeded when the patch was applied.

Suggested advisory:
========================

Updated perl-Image-Info package fixes the following security vulnerability:

A crafted SVG file could have caused information disclosure or denial of service by using external entitity expansion (XXE). This is a potentially incompatible change; however usually SVG files do not rely on XXE.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9181
========================

Updated packages in core/updates_testing:
========================
perl-Image-Info-1.360.0-4.1.mga5

Source RPM:
perl-Image-Info-1.360.0-4.1.mga5.src.rpm
Comment 5 David Walser 2017-05-13 19:00:27 CEST
Thanks Sander!

Suggested advisory:
========================

Updated perl-Image-Info package fixes security vulnerability:

A crafted SVG file could have caused information disclosure or denial of
service by using external entitity expansion (XXE). This is a potentially
incompatible change; however usually SVG files do not rely on XXE
(CVE-2016-9181).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9181
https://lists.opensuse.org/opensuse-updates/2017-03/msg00028.html
Comment 6 Herman Viaene 2017-05-18 10:57:17 CEST
MGA5-32 on Asus A6000VM Xfce
No installation issues.
# urpmq --whatrequires perl-Image-Info
perl-Graph-Easy-As_svg
perl-Image-Info
perl-Image-Info
and
# urpmq --whatrequires perl-Graph-Easy-As_svg
perl-Graph-Easy-As_svg

The README in /usr/share/doc/perl-Image-Info/ contains some info on its usage, but that's beyond me.
Comment 7 Lewis Smith 2017-05-24 16:32:26 CEST
It looks as if, rather than tackling perl-Graph-Easy-As_svg
(http://bloodgate.com/perl/graph/manual/), hperl-Image-Info would be simpler:
"
This Perl extension allows you to extract meta information from various
types of image files. The following file formats are supported:
   JPEG (plain JFIF and Exif)
   PNG
   GIF
   PBM/PGM/PPM
   SVG
   XBM/XPM
   BMP/DIB/RLE
Usage is something like this:
   use Image::Info qw(image_info);
   @info = image_info("filename");
   $refto_hash_describing_1st_image = $info[0];
   $refto_hash_describing_2nd_image = $info[1];
"
Can find no PoC. "the CVE is for Image::Info::SVG"; "A crafted SVG file..." indicate that .svg files [using external entitity expansion (XXE)] are at issue.
Will play a little (x64).
Comment 8 Lewis Smith 2017-05-26 18:40:18 CEST
Testing M5_64

BEFORE update: perl-Image-Info-1.360.0-4.mga5
I wrote (with help) a crude script to use directly perl-Image-Info (will attach it) which I ran on image types .jpg .png .svg ; it yielded sensible output.

UPDATED to: perl-Image-Info-1.360.0-4.1.mga5
Using the script on the same images as before gave essentially identical results.
On this basis alone, giving the OK.
Comment 9 Lewis Smith 2017-05-26 18:47:45 CEST
Created attachment 9339 [details]
Crude script to drive perl-Image-Info

This script just uses perl-Image-Info to give some info about images. Usage:
 $ <scriptname> <image filename>
The script is no model of elegant Perl, but it works. If >1 image is returned [how?] it only does the first.
Comment 10 Mageia Robot 2017-05-29 17:06:03 CEST
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0151.html
Comment 11 Lewis Smith 2017-06-06 11:48:10 CEST
Further to comment 9 and the attached script, here are two alternative (and purer) suggestions for accessing *directly* elements of a hash from its reference; rather than copying the entire hash:

1) Returns one by one key/value pairs:
while (my ($key, $val) = each(%{ $hashRef }))
	{
	}

2) Returns all the keys, then the values (in the same order) in the hash:
@keysArray = keys(%{ $hashRef });
@valuesArray = values (%{ $hashRef });

I add this note for reference to aid future testing of Perl packages which return a reference to a hash array.

Note You need to log in before you can comment on or make changes to this bug.