Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

libmarc-xml-perl: CVE-2014-1626: XML External Entity privilege escalation

Related Vulnerabilities: CVE-2014-1626  

Source

Debian Bug report logs - #736275
libmarc-xml-perl: CVE-2014-1626: XML External Entity privilege escalation

version graph

Package: libmarc-xml-perl; Maintainer for libmarc-xml-perl is Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>; Source for libmarc-xml-perl is src:libmarc-xml-perl (PTS, buildd, popcon).

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Tue, 21 Jan 2014 20:12:02 UTC

Severity: grave

Tags: fixed-upstream, security, upstream

Fixed in version libmarc-xml-perl/1.0.2-1

Done: gregor herrmann <gregoa@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#736275; Package libmarc-xml-perl. (Tue, 21 Jan 2014 20:12:06 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>. (Tue, 21 Jan 2014 20:12:06 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libmarc-xml-perl: XXE vulnerability fixed in 1.0.2
Date: Tue, 21 Jan 2014 21:09:02 +0100
Package: libmarc-xml-perl
Severity: grave
Tags: security upstream fixed-upstream
Justification: user security hole

>From the CVe request on oss-security (CVE assignment is pending):

----cut---------cut---------cut---------cut---------cut---------cut-----
I am the maintainer of the Perl module MARC::File::XML, which is used
by various applications to manipulate a metadata format used by
libraries, and would like to request the allocation of a CVE
identifier for an XXE vulnerability that is fixed in version 1.0.2 of
the module.  I have evidence that the vulnerability can be used in at
least one F/LOSS integrated library system, Koha, to perform an
application-level privilege escalation, and another one, Evergreen, is
likely vulnerable to disclosure of the contents of arbitrary files on
the server.  I am a committer to both of those projects.

Fix: http://sourceforge.net/p/marcpm/code/ci/cf2d36597a56eeeffd53b38182b8557c7bf569ac/

ChangeLog: https://metacpan.org/changes/distribution/MARC-XML

Announcements:

http://www.nntp.perl.org/group/perl.perl4lib/2014/01/msg3073.html
http://lists.katipo.co.nz/pipermail/koha/2014-January/038430.html
http://libmail.georgialibraries.org/pipermail/open-ils-general/2014-January/009442.html
----cut---------cut---------cut---------cut---------cut---------cut-----

See: http://www.openwall.com/lists/oss-security/2014/01/21/5

I have not checked the details, unstable having 1.0.1 is affected,
not checked for the other versions.

Regards,
Salvatore

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#736275; Package libmarc-xml-perl. (Tue, 21 Jan 2014 20:51:07 GMT) (full text, mbox, link).

Message #8 received at 736275@bugs.debian.org (full text, mbox, reply):

From: pkg-perl-maintainers@lists.alioth.debian.org
To: 736275@bugs.debian.org, 736275-submitter@bugs.debian.org
Subject: Pending fixes for bugs in the libmarc-xml-perl package
Date: Tue, 21 Jan 2014 20:48:49 +0000
tag 736275 + pending
thanks

Some bugs in the libmarc-xml-perl package are closed in revision
e531c3f21f94329f6f10b728094c664ef5d70caa in branch 'master' by gregor
herrmann

The full diff can be seen at
http://anonscm.debian.org/gitweb/?p=pkg-perl/packages/libmarc-xml-perl.git;a=commitdiff;h=e531c3f

Commit message:

    New upstream release. Fixes "XXE vulnerability" (Closes: #736275)

Added tag(s) pending. Request was from pkg-perl-maintainers@lists.alioth.debian.org to control@bugs.debian.org. (Tue, 21 Jan 2014 20:51:10 GMT) (full text, mbox, link).

Message sent on to Salvatore Bonaccorso <carnil@debian.org>:
Bug#736275. (Tue, 21 Jan 2014 20:51:15 GMT) (full text, mbox, link).

Reply sent to gregor herrmann <gregoa@debian.org>:
You have taken responsibility. (Tue, 21 Jan 2014 21:27:12 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Tue, 21 Jan 2014 21:27:12 GMT) (full text, mbox, link).

Message #18 received at 736275-close@bugs.debian.org (full text, mbox, reply):

From: gregor herrmann <gregoa@debian.org>
To: 736275-close@bugs.debian.org
Subject: Bug#736275: fixed in libmarc-xml-perl 1.0.2-1
Date: Tue, 21 Jan 2014 21:25:17 +0000
Source: libmarc-xml-perl
Source-Version: 1.0.2-1

We believe that the bug you reported is fixed in the latest version of
libmarc-xml-perl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 736275@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
gregor herrmann <gregoa@debian.org> (supplier of updated libmarc-xml-perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 21 Jan 2014 21:44:08 +0100
Source: libmarc-xml-perl
Binary: libmarc-xml-perl
Architecture: source all
Version: 1.0.2-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
Changed-By: gregor herrmann <gregoa@debian.org>
Description: 
 libmarc-xml-perl - Perl library to access MARC data encoded as XML
Closes: 736275
Changes: 
 libmarc-xml-perl (1.0.2-1) unstable; urgency=medium
 .
   * Team upload.
 .
   * New upstream release.
     Fixes XXE vulnerability:
     - MARC::File::XML will now die upon parsing a record that
       declares an external entity and tries to use it. This
       prevents the potential unwanted disclosure of the contents
       of files on the server by applications that embed this module.
     Closes: #736275
   * Update years of packaging copyright.
   * Declare compliance with Debian Policy 3.9.5.
Checksums-Sha1: 
 8f5c6afbbd25c09b07cbc692ed3826aee5b3d9ac 2192 libmarc-xml-perl_1.0.2-1.dsc
 0b4dd5b7b6a9065cc52220fc8e52ac7522a8239b 18057 libmarc-xml-perl_1.0.2.orig.tar.gz
 8be9e893ad39e6c0c6a4399dee4931d6886b9674 3448 libmarc-xml-perl_1.0.2-1.debian.tar.xz
 c86154a35c1487c1ce41d6952a5c915911f27f22 21184 libmarc-xml-perl_1.0.2-1_all.deb
Checksums-Sha256: 
 16b32a32030314498d7e5e5ae43196e7838deb16702a820672a17a70de1bfbf7 2192 libmarc-xml-perl_1.0.2-1.dsc
 65705e0c0eb77b67a65937274f5ef4e2138c76b9ecdf6fcc1a44de241096c33e 18057 libmarc-xml-perl_1.0.2.orig.tar.gz
 f394b825321ecb954665fe848c87829fa9e8afc60b97f0249d7165afd914ecc3 3448 libmarc-xml-perl_1.0.2-1.debian.tar.xz
 a14e8cb3eb09eeab285fc24b285add804ab63de4514066cd5d67213a92908208 21184 libmarc-xml-perl_1.0.2-1_all.deb
Files: 
 1dc5c136b52f00f9e329d9947009631c 2192 perl optional libmarc-xml-perl_1.0.2-1.dsc
 86c2e1c7254f5f9388d541ae33318718 18057 perl optional libmarc-xml-perl_1.0.2.orig.tar.gz
 4d5acf54353ebeeffbeb56c3c9a193ce 3448 perl optional libmarc-xml-perl_1.0.2-1.debian.tar.xz
 75b17bdbc993e607d9027eeaa68e9eb0 21184 perl optional libmarc-xml-perl_1.0.2-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJS3ty0AAoJELs6aAGGSaoGpx4P/37JMCsX4zLhHCGt0UeKcxaJ
IdAkHVGoQyTcRSrFCt9fuk/z8iDB1MjdQitTtjD6h7ibQc3kqcvb2l88awG/Zi/a
S5WEoMLcUTcx9Ue5tXpYZChtdsfJfS75UlIdiyZCP2XS/q3SUP+j24VvL/FkzNiQ
o/dnjenot7Nyx3o7iOKwGwjpN6EVVLyI2uFNtoFYvYd38CNTD4m7geFKcWeWvFIO
LKVvur3vOcVvlPryWySdhiMPmQ4pci5EtqS8IOF5+Of29sWaFy8i7rLuvyQTdII0
CHHYe9sM4YIZAglYvqpNYuCfA5JvLKkCLuSylzIrLUN/Pu1JAY3XC76TXrX8RGlI
2QZfp+tQJBEJVZuAYyJfuqrKjgf0mgy4dq9lV3D9HSO4ZCUWs7hye7vq1Wz2o6+R
57iX3BdnNaIptANifRHxl7i9TdauXKsb1g5sR3CupF7T8yzbQz+RzVsOJTrEYzqx
+/pM3zsRNPpi0p0oD/ET8IyXvPjkvRoT4ZhZAsSC1ZJBeHkGKi5wTMSCuQHA1Fnf
yS9jKOah0ceg1k26d2AeXOgj05aTzotkYFT6Vw8J09WjMqtDdjAQDKAMxXPUS8QA
t0nZXrpYPXsEcBxq2K2o5UDmhzvNV45A0EKf8zE+dOvJij5m9TZmJ1Un9o/5FGQc
FvlrxcmxKmWPQv44uz3L
=lFsq
-----END PGP SIGNATURE-----

Changed Bug title to 'libmarc-xml-perl: CVE-2014-1626: XML External Entity privilege escalation' from 'libmarc-xml-perl: XXE vulnerability fixed in 1.0.2' Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Wed, 22 Jan 2014 05:21:04 GMT) (full text, mbox, link).

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 26 Apr 2015 07:51:20 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 19:12:17 2019; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started