Fedora has issued an advisory on October 25: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/D5XLBU74Y5ODXEDKOMG45KLNLQ5F63QO/ They added this patch to fix it: http://pkgs.fedoraproject.org/cgit/rpms/perl-Image-Info.git/tree/Image-Info-1.38-Image-Info-1.38_50.-w.diff?h=f24&id=28b61db2c920a2d172eb0c55928332ba930ef722
This has been assigned CVE-2016-9181: http://openwall.com/lists/oss-security/2016/11/04/2
Summary: perl-Image-Info new external entity expansion security issue => perl-Image-Info new external entity expansion security issue (CVE-2016-9181)
perl-Image-Info-1.380.0-4.mga6 uploaded for Cauldron by Nicolas. Mageia 5 update fails to build so far. Nicolas, please note that you got the CVE number wrong in the commit messages.
CC: (none) => mageiaVersion: Cauldron => 5
openSUSE has issued an advisory for this today (March 11): https://lists.opensuse.org/opensuse-updates/2017-03/msg00028.html
I have uploaded a patched package for Mageia 5. Not sure how to test it, but when I ran the test from github during building it only succeeded when the patch was applied. Suggested advisory: ======================== Updated perl-Image-Info package fixes the following security vulnerability: A crafted SVG file could have caused information disclosure or denial of service by using external entitity expansion (XXE). This is a potentially incompatible change; however usually SVG files do not rely on XXE. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9181 ======================== Updated packages in core/updates_testing: ======================== perl-Image-Info-1.360.0-4.1.mga5 Source RPM: perl-Image-Info-1.360.0-4.1.mga5.src.rpm
Assignee: mageia => qa-bugs
Thanks Sander! Suggested advisory: ======================== Updated perl-Image-Info package fixes security vulnerability: A crafted SVG file could have caused information disclosure or denial of service by using external entitity expansion (XXE). This is a potentially incompatible change; however usually SVG files do not rely on XXE (CVE-2016-9181). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9181 https://lists.opensuse.org/opensuse-updates/2017-03/msg00028.html
MGA5-32 on Asus A6000VM Xfce No installation issues. # urpmq --whatrequires perl-Image-Info perl-Graph-Easy-As_svg perl-Image-Info perl-Image-Info and # urpmq --whatrequires perl-Graph-Easy-As_svg perl-Graph-Easy-As_svg The README in /usr/share/doc/perl-Image-Info/ contains some info on its usage, but that's beyond me.
CC: (none) => herman.viaene
CC: (none) => davidwhodginsWhiteboard: (none) => advisory
It looks as if, rather than tackling perl-Graph-Easy-As_svg (http://bloodgate.com/perl/graph/manual/), hperl-Image-Info would be simpler: " This Perl extension allows you to extract meta information from various types of image files. The following file formats are supported: JPEG (plain JFIF and Exif) PNG GIF PBM/PGM/PPM SVG XBM/XPM BMP/DIB/RLE Usage is something like this: use Image::Info qw(image_info); @info = image_info("filename"); $refto_hash_describing_1st_image = $info[0]; $refto_hash_describing_2nd_image = $info[1]; " Can find no PoC. "the CVE is for Image::Info::SVG"; "A crafted SVG file..." indicate that .svg files [using external entitity expansion (XXE)] are at issue. Will play a little (x64).
CC: (none) => lewyssmith
Testing M5_64 BEFORE update: perl-Image-Info-1.360.0-4.mga5 I wrote (with help) a crude script to use directly perl-Image-Info (will attach it) which I ran on image types .jpg .png .svg ; it yielded sensible output. UPDATED to: perl-Image-Info-1.360.0-4.1.mga5 Using the script on the same images as before gave essentially identical results. On this basis alone, giving the OK.
Whiteboard: advisory => advisory MGA5-64-OK
Created attachment 9339 [details] Crude script to drive perl-Image-Info This script just uses perl-Image-Info to give some info about images. Usage: $ <scriptname> <image filename> The script is no model of elegant Perl, but it works. If >1 image is returned [how?] it only does the first.
CC: (none) => nathan95Whiteboard: advisory MGA5-64-OK => advisory MGA5-64-OK MGA5-32-OK
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0151.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
Further to comment 9 and the attached script, here are two alternative (and purer) suggestions for accessing *directly* elements of a hash from its reference; rather than copying the entire hash: 1) Returns one by one key/value pairs: while (my ($key, $val) = each(%{ $hashRef })) { } 2) Returns all the keys, then the values (in the same order) in the hash: @keysArray = keys(%{ $hashRef }); @valuesArray = values (%{ $hashRef }); I add this note for reference to aid future testing of Perl packages which return a reference to a hash array.