|Description||perl-Image-Info: When parsing an SVG file, external entity expansion (XXE) was not disabled. An attacker could craft an SVG file which, when processed by an application using perl-Image-Info, could cause denial of service or, potentially, information disclosure.|
|Source||CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)|
|NVD severity||medium (attack range: remote)|
Vulnerable and fixed packages
The table below lists information on source packages.
|libimage-info-perl (PTS)||wheezy, jessie||1.28-1||vulnerable|
|buster, sid, stretch||1.39-1||fixed|
The information below is based on the following data on fixed versions.
[jessie] - libimage-info-perl <no-dsa> (Minor issue)
[wheezy] - libimage-info-perl <no-dsa> (Minor issue)
Upstream commit: https://github.com/eserte/image-info/commit/781625b643bc05ba92127a4554de7910f3f2f8e6
Older versions of libimage-info-perl only can use XML::Simple.
Controlling XXE processing behavior in XML::Simple is not really
possible (see https://rt.cpan.org/Ticket/Display.html?id=83794),
so as a workaround the underlying SAX parser is fixed to
XML::SAX::PurePerl which is uncapable of processing external entities
but unfortunately it is also a slow parser.