[arch-security] [ASA-201504-32] perl-xml-libxml: XML External Entity

Christian Rebischke chris.rebischke at gmail.com
Thu Apr 30 18:24:41 UTC 2015


Arch Linux Security Advisory ASA-201504-32
=========================================

Severity: low
Date    : 2015-04-30
CVE-ID  : CVE-2015-3451
Package : perl-xml-libxml
Type    : XML External Entity
Remote  : yes
Link    : https://wiki.archlinux.org/index.php/CVE

Summary
=======

The package perl-xml-libxml before version 2.0119-1 is vulnerable to a 
XML-External-Entity-Vulnerability.

Resolution
==========

Upgrade to 2.0119-1

# pacman -Syu "perl-xml-libxml>=2.0119-1"

The problem has been fixed upstream in version 2.0119.

Workaround
==========

None.

Description
===========

Unpreserved unset options after a _clone() call (e.g: in load_xml())
leads to not preserved expand_entities. Therefore it leads to a
XML-External-Entity Vulnerability.

Impact
======

This vulnerability may lead to the disclosure of confidential data, denial of
service, port scanning from the perspective of the machine where the parser is
located, and other system impacts.

References
==========

http://www.openwall.com/lists/oss-security/2015/04/30/1
https://bitbucket.org/shlomif/perl-xml-libxml/commits/5962fd067580767777e94640b129ae8930a68a30
http://cpansearch.perl.org/src/SHLOMIF/XML-LibXML-2.0119/Changes

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20150430/d7ffece0/attachment.asc>


More information about the arch-security mailing list