CVE-2016-9181

NameCVE-2016-9181
Descriptionperl-Image-Info: When parsing an SVG file, external entity expansion (XXE) was not disabled. An attacker could craft an SVG file which, when processed by an application using perl-Image-Info, could cause denial of service or, potentially, information disclosure.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium (attack range: remote)
Debian Bugs842891

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libimage-info-perl (PTS)wheezy, jessie1.28-1vulnerable
buster, sid, stretch1.39-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libimage-info-perlsource(unstable)1.39-1medium842891

Notes

[jessie] - libimage-info-perl <no-dsa> (Minor issue)
[wheezy] - libimage-info-perl <no-dsa> (Minor issue)
https://rt.cpan.org/Public/Bug/Display.html?id=118099
https://bugzilla.redhat.com/show_bug.cgi?id=1379556
Upstream commit: https://github.com/eserte/image-info/commit/781625b643bc05ba92127a4554de7910f3f2f8e6
http://www.openwall.com/lists/oss-security/2016/11/02/1
Older versions of libimage-info-perl only can use XML::Simple.
Controlling XXE processing behavior in XML::Simple is not really
possible (see https://rt.cpan.org/Ticket/Display.html?id=83794),
so as a workaround the underlying SAX parser is fixed to
XML::SAX::PurePerl which is uncapable of processing external entities
but unfortunately it is also a slow parser.

Search for package or bug name: Reporting problems