Bug 19669 - perl-Image-Info new external entity expansion security issue (CVE-2016-9181)
Summary: perl-Image-Info new external entity expansion security issue (CVE-2016-9181)
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/704702/
Whiteboard: advisory
Keywords:
Depends on:
Blocks:
 
Reported: 2016-10-27 14:34 CEST by David Walser
Modified: 2017-05-21 03:29 CEST (History)
3 users (show)

See Also:
Source RPM: perl-Image-Info-1.380.0-3.mga6.src.rpm
CVE:
Status comment:


Attachments

Comment 1 David Walser 2016-11-04 15:25:15 CET
This has been assigned CVE-2016-9181:
http://openwall.com/lists/oss-security/2016/11/04/2
Comment 2 David Walser 2016-11-16 19:16:12 CET
perl-Image-Info-1.380.0-4.mga6 uploaded for Cauldron by Nicolas.

Mageia 5 update fails to build so far.

Nicolas, please note that you got the CVE number wrong in the commit messages.
Comment 3 David Walser 2017-03-11 17:01:42 CET
openSUSE has issued an advisory for this today (March 11):
https://lists.opensuse.org/opensuse-updates/2017-03/msg00028.html
Comment 4 Sander Lepik 2017-05-12 20:07:13 CEST
I have uploaded a patched package for Mageia 5.

Not sure how to test it, but when I ran the test from github during building it only succeeded when the patch was applied.

Suggested advisory:
========================

Updated perl-Image-Info package fixes the following security vulnerability:

A crafted SVG file could have caused information disclosure or denial of service by using external entitity expansion (XXE). This is a potentially incompatible change; however usually SVG files do not rely on XXE.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9181
========================

Updated packages in core/updates_testing:
========================
perl-Image-Info-1.360.0-4.1.mga5

Source RPM:
perl-Image-Info-1.360.0-4.1.mga5.src.rpm
Comment 5 David Walser 2017-05-13 19:00:27 CEST
Thanks Sander!

Suggested advisory:
========================

Updated perl-Image-Info package fixes security vulnerability:

A crafted SVG file could have caused information disclosure or denial of
service by using external entitity expansion (XXE). This is a potentially
incompatible change; however usually SVG files do not rely on XXE
(CVE-2016-9181).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9181
https://lists.opensuse.org/opensuse-updates/2017-03/msg00028.html
Comment 6 Herman Viaene 2017-05-18 10:57:17 CEST
MGA5-32 on Asus A6000VM Xfce
No installation issues.
# urpmq --whatrequires perl-Image-Info
perl-Graph-Easy-As_svg
perl-Image-Info
perl-Image-Info
and
# urpmq --whatrequires perl-Graph-Easy-As_svg
perl-Graph-Easy-As_svg

The README in /usr/share/doc/perl-Image-Info/ contains some info on its usage, but that's beyond me.

Note You need to log in before you can comment on or make changes to this bug.