oss-sec mailing list archives
Re: CVE request: Perl XML::LibXML
From: cve-assign () mitre org
Date: Thu, 30 Apr 2015 00:54:53 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
XEE vulnerability in Perl's XML::LibXML The output of XEE-XML-LibXML-demo.pl should not contain external entities, but "expand_entities" is ignored. Using "$XML_DOC = XML::LibXML->load_xml" works as documented, using $parser = XML::LibXML->new and $XML_DOC = $parser->load_xml does not. The vulnerability is fixed in version 2.0119. https://bitbucket.org/shlomif/perl-xml-libxml/commits/5962fd067580767777e94640b129ae8930a68a30 http://cpansearch.perl.org/src/SHLOMIF/XML-LibXML-2.0119/Changes
LibXML.pm $new->{XML_LIBXML_PARSER_OPTIONS} = $self->{XML_LIBXML_PARSER_OPTIONS};
2.0119 2015-04-23 - Preserve unset options after a _clone() call (e.g: in load_xml()). - This caused expand_entities(0) to not be preserved/etc. - Thanks to Tilmann Haak from xing.com for the report.
Use CVE-2015-3451. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJVQbTrAAoJEKllVAevmvmsNSwIAIDOfW0/Xl/RNoF0HcUmeheL U18aIX75+PcsFCkL01Zc25JgpYEjXfVqyH0reFrmOM2vzK2k92VKN86k8S83bEYJ /V81+C0iBNBe/mgk2Eg01lbtlrZEpODIr1peYjZjQ1cx6rLGhgYlMrQrblRXkhFn MJ6Hko+TbzDc8rUEpw9vgBFgmrhsXIq+/OA6xuBrafv6aBp43TDreX97/UYZtW7G QERMz2mHf3rYLv58MlR8IpZOrs/EkV4O/KuA3g0RahiuQjArXX0BCHr4Qo+rEnDd HxshKFuuvr19yTNO2oJiWc/n0qi/4exQWkgBZXMkgz9FWsX8AxuMkk+onfnA+mw= =ECuO -----END PGP SIGNATURE-----
Current thread:
- CVE request: Perl XML::LibXML Tilmann Haak (Apr 24)
- Re: CVE request: Perl XML::LibXML cve-assign (Apr 29)