aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRaphael Kubo da Costa <rakuco@FreeBSD.org>2012-03-25 17:20:54 +0000
committerRaphael Kubo da Costa <rakuco@FreeBSD.org>2012-03-25 17:20:54 +0000
commited42977f669e7325a0dbba3ff7f89c4e85d8b57e (patch)
treeaed843f5cf280ad8e0435d4f40805c007ef0182b
parentf1c6dc5673c1156e21aa76bc2cd330c5c51e3ce0 (diff)
downloadports-ed42977f669e7325a0dbba3ff7f89c4e85d8b57e.tar.gz
ports-ed42977f669e7325a0dbba3ff7f89c4e85d8b57e.zip
Document CVE-2012-0037 for textproc/raptor and textproc/raptor2.
Security: CVE-2012-0037 Feature safe: yes
Notes
Notes: svn path=/head/; revision=293808
-rw-r--r--security/vuxml/vuln.xml44
1 files changed, 44 insertions, 0 deletions
diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml
index 6a8c24178048..40aeba321fa8 100644
--- a/security/vuxml/vuln.xml
+++ b/security/vuxml/vuln.xml
@@ -52,6 +52,50 @@ Note: Please add new entries to the beginning of this file.
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+ <vuln vid="60f81af3-7690-11e1-9423-00235a5f2c9a">
+ <topic>raptor/raptor2 -- XXE in RDF/XML File Interpretation</topic>
+ <affects>
+ <package>
+ <name>raptor2</name>
+ <range><lt>2.0.7</lt></range>
+ </package>
+ <package>
+ <name>raptor</name>
+ <range><lt>1.4.21_2</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Timothy D. Morgan reports:</p>
+ <blockquote cite="http://www.vsecurity.com/resources/advisory/20120324-1/">
+ <p>In December 2011, VSR identified a vulnerability in multiple open
+ source office products (including OpenOffice, LibreOffice, KOffice,
+ and AbiWord) due to unsafe interpretation of XML files with custom
+ entity declarations. Deeper analysis revealed that the vulnerability
+ was caused by acceptance of external entities by the libraptor
+ library, which is used by librdf and is in turn used by these office
+ products.</p>
+ <p>In the context of office applications, these vulnerabilities could
+ allow for XML External Entity (XXE) attacks resulting in file theft
+ and a loss of user privacy when opening potentially malicious ODF
+ documents. For other applications which depend on librdf or
+ libraptor, potentially serious consequences could result from
+ accepting RDF/XML content from untrusted sources, though the impact
+ may vary widely depending on the context.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2012-0037</cvename>
+ <url>http://seclists.org/fulldisclosure/2012/Mar/281</url>
+ <url>http://www.vsecurity.com/resources/advisory/20120324-1/</url>
+ </references>
+ <dates>
+ <discovery>2012-03-24</discovery>
+ <entry>2012-03-25</entry>
+ </dates>
+ </vuln>
+
<vuln vid="42a2c82a-75b9-11e1-89b4-001ec9578670">
<topic>quagga -- multiple vulnerabilities</topic>
<affects>