[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Re: CVE request: Perl XML::LibXML
From:       cve-assign () mitre ! org
Date:       2015-04-30 4:54:53
Message-ID: 20150430045453.A4BC642E0BA () smtpvbsrv1 ! mitre ! org
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> XEE vulnerability in Perl's XML::LibXML
> 
> The output of XEE-XML-LibXML-demo.pl should not contain external
> entities, but "expand_entities" is ignored.
> 
> Using "$XML_DOC = XML::LibXML->load_xml" works as documented, using 
> $parser = XML::LibXML->new and $XML_DOC = $parser->load_xml does not.
> 
> The vulnerability is fixed in version 2.0119.
> 
> https://bitbucket.org/shlomif/perl-xml-libxml/commits/5962fd067580767777e94640b129ae8930a68a30
> 
> http://cpansearch.perl.org/src/SHLOMIF/XML-LibXML-2.0119/Changes

> LibXML.pm
> 
> $new->{XML_LIBXML_PARSER_OPTIONS} = $self->{XML_LIBXML_PARSER_OPTIONS};

> 2.0119  2015-04-23
>     - Preserve unset options after a _clone() call (e.g: in load_xml()).
>         - This caused expand_entities(0) to not be preserved/etc.
>         - Thanks to Tilmann Haak from xing.com for the report.

Use CVE-2015-3451.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJVQbTrAAoJEKllVAevmvmsNSwIAIDOfW0/Xl/RNoF0HcUmeheL
U18aIX75+PcsFCkL01Zc25JgpYEjXfVqyH0reFrmOM2vzK2k92VKN86k8S83bEYJ
/V81+C0iBNBe/mgk2Eg01lbtlrZEpODIr1peYjZjQ1cx6rLGhgYlMrQrblRXkhFn
MJ6Hko+TbzDc8rUEpw9vgBFgmrhsXIq+/OA6xuBrafv6aBp43TDreX97/UYZtW7G
QERMz2mHf3rYLv58MlR8IpZOrs/EkV4O/KuA3g0RahiuQjArXX0BCHr4Qo+rEnDd
HxshKFuuvr19yTNO2oJiWc/n0qi/4exQWkgBZXMkgz9FWsX8AxuMkk+onfnA+mw=
=ECuO
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]