Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

debian логотип

CVE-2016-9181

Опубликовано: 22 дек. 2016
Источник: debian

Описание

perl-Image-Info: When parsing an SVG file, external entity expansion (XXE) was not disabled. An attacker could craft an SVG file which, when processed by an application using perl-Image-Info, could cause denial of service or, potentially, information disclosure.

Пакеты

ПакетСтатусВерсия исправленияРелизТип
libimage-info-perlfixed1.39-1package
libimage-info-perlno-dsajessiepackage
libimage-info-perlno-dsawheezypackage

Примечания

  • https://rt.cpan.org/Public/Bug/Display.html?id=118099

  • https://bugzilla.redhat.com/show_bug.cgi?id=1379556

  • Upstream commit: https://github.com/eserte/image-info/commit/781625b643bc05ba92127a4554de7910f3f2f8e6

  • https://www.openwall.com/lists/oss-security/2016/11/02/1

  • Older versions of libimage-info-perl only can use XML::Simple.

  • Controlling XXE processing behavior in XML::Simple is not really

  • possible (see https://rt.cpan.org/Ticket/Display.html?id=83794),

  • so as a workaround the underlying SAX parser is fixed to

  • XML::SAX::PurePerl which is uncapable of processing external entities

  • but unfortunately it is also a slow parser.

Связанные уязвимости

ubuntu логотип

CVE-2016-9181

CVSS3: 7.1
ubuntu
около 9 лет назад

perl-Image-Info: When parsing an SVG file, external entity expansion (XXE) was not disabled. An attacker could craft an SVG file which, when processed by an application using perl-Image-Info, could cause denial of service or, potentially, information disclosure.

redhat логотип

CVE-2016-9181

CVSS3: 7.1
redhat
больше 9 лет назад

perl-Image-Info: When parsing an SVG file, external entity expansion (XXE) was not disabled. An attacker could craft an SVG file which, when processed by an application using perl-Image-Info, could cause denial of service or, potentially, information disclosure.

nvd логотип

CVE-2016-9181

CVSS3: 7.1
nvd
около 9 лет назад

perl-Image-Info: When parsing an SVG file, external entity expansion (XXE) was not disabled. An attacker could craft an SVG file which, when processed by an application using perl-Image-Info, could cause denial of service or, potentially, information disclosure.

suse-cvrf логотип

openSUSE-SU-2017:0667-1

suse-cvrf
почти 9 лет назад

Security update for perl-Image-Info

github логотип

GHSA-99g7-5p97-g9vw

CVSS3: 7.1
github
больше 3 лет назад

perl-Image-Info: When parsing an SVG file, external entity expansion (XXE) was not disabled. An attacker could craft an SVG file which, when processed by an application using perl-Image-Info, could cause denial of service or, potentially, information disclosure.