| Name | CVE-2016-9181 |
| Description | perl-Image-Info: When parsing an SVG file, external entity expansion (XXE) was not disabled. An attacker could craft an SVG file which, when processed by an application using perl-Image-Info, could cause denial of service or, potentially, information disclosure. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| Debian Bugs | 842891 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| libimage-info-perl (PTS) | buster | 1.41-1 | fixed |
| bullseye | 1.42-1 | fixed | |
| bookworm | 1.43-1 | fixed | |
| sid, trixie | 1.44-2 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| libimage-info-perl | source | (unstable) | 1.39-1 | 842891 |
[jessie] - libimage-info-perl <no-dsa> (Minor issue)
[wheezy] - libimage-info-perl <no-dsa> (Minor issue)
https://rt.cpan.org/Public/Bug/Display.html?id=118099
https://bugzilla.redhat.com/show_bug.cgi?id=1379556
Upstream commit: https://github.com/eserte/image-info/commit/781625b643bc05ba92127a4554de7910f3f2f8e6
https://www.openwall.com/lists/oss-security/2016/11/02/1
Older versions of libimage-info-perl only can use XML::Simple.
Controlling XXE processing behavior in XML::Simple is not really
possible (see https://rt.cpan.org/Ticket/Display.html?id=83794),
so as a workaround the underlying SAX parser is fixed to
XML::SAX::PurePerl which is uncapable of processing external entities
but unfortunately it is also a slow parser.