Descriptionperl-Image-Info: When parsing an SVG file, external entity expansion (XXE) was not disabled. An attacker could craft an SVG file which, when processed by an application using perl-Image-Info, could cause denial of service or, potentially, information disclosure.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium (attack range: remote)
Debian Bugs842891

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libimage-info-perl (PTS)jessie1.28-1vulnerable
buster, sid1.41-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs


[jessie] - libimage-info-perl <no-dsa> (Minor issue)
[wheezy] - libimage-info-perl <no-dsa> (Minor issue)
Upstream commit:
Older versions of libimage-info-perl only can use XML::Simple.
Controlling XXE processing behavior in XML::Simple is not really
possible (see,
so as a workaround the underlying SAX parser is fixed to
XML::SAX::PurePerl which is uncapable of processing external entities
but unfortunately it is also a slow parser.

Search for package or bug name: Reporting problems