CVE-2014-1626

NameCVE-2014-1626
DescriptionXML External Entity (XXE) vulnerability in MARC::File::XML module before 1.0.2 for Perl, as used in Evergreen, Koha, perl4lib, and possibly other products, allows context-dependent attackers to read arbitrary files via a crafted XML file.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium (attack range: remote)
Debian Bugs736275

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libmarc-xml-perl (PTS)wheezy0.93-1vulnerable
buster, sid, jessie, stretch1.0.3-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libmarc-xml-perlsource(unstable)1.0.2-1medium736275

Notes

[wheezy] - libmarc-xml-perl <no-dsa> (Too intrusive to backport)
[squeeze] - libmarc-xml-perl <no-dsa> (Too intrusive to backport)
http://sourceforge.net/p/marcpm/code/ci/cf2d36597a56eeeffd53b38182b8557c7bf569ac/
older versions do not have the ability to set a user custom parser, trying to fix CVE-2014-1626 not clear yet
upstream developer contacted and is looking into it; backport fix might be to intrusive due to change in used Module

Search for package or bug name: Reporting problems