https://bugzilla.redhat.com/show_bug.cgi?id=1512827
Bug ID: 1512827 Summary: CVE-2017-9096 itext: External entities not disabled Product: Security Response Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team@redhat.com Reporter: anemec@redhat.com CC: alazarot@redhat.com, andjrobins@gmail.com, anstephe@redhat.com, etirelli@redhat.com, ibek@redhat.com, java-sig-commits@lists.fedoraproject.org, kverlaen@redhat.com, lef@fedoraproject.org, lpetrovi@redhat.com, oget.fedora@gmail.com, paradhya@redhat.com, pavelp@redhat.com, pszubiak@redhat.com, puntogil@libero.it, rrajasek@redhat.com, rsynek@redhat.com, rzhang@redhat.com, sdaley@redhat.com
The XML parsers in iText before 5.5.12 and 7.x before 7.0.3 do not disable external entities, which might allow remote attackers to conduct XML external entity (XXE) attacks via a crafted PDF.
External References:
https://www.compass-security.com/fileadmin/Datein/Research/Advisories/CSNC-2...
https://bugzilla.redhat.com/show_bug.cgi?id=1512827
Andrej Nemec anemec@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1512828
--- Comment #1 from Andrej Nemec anemec@redhat.com --- Created itext tracking bugs for this issue:
Affects: fedora-all [bug 1512828]
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1512828 [Bug 1512828] CVE-2017-9096 itext: External entities not disabled [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1512827
Andrej Nemec anemec@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1512829
https://bugzilla.redhat.com/show_bug.cgi?id=1512827
Chess Hazlett chazlett@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |aileenc@redhat.com, | |bkundal@redhat.com, | |bmaxwell@redhat.com, | |cdewolf@redhat.com, | |chazlett@redhat.com, | |csutherl@redhat.com, | |darran.lofthouse@redhat.com | |, dimitris@redhat.com, | |dosoudil@redhat.com, | |gvarsami@redhat.com, | |jawilson@redhat.com, | |jcoleman@redhat.com, | |jshepherd@redhat.com, | |kconner@redhat.com, | |ldimaggi@redhat.com, | |lgao@redhat.com, | |myarboro@redhat.com, | |nwallace@redhat.com, | |pgier@redhat.com, | |psakar@redhat.com, | |pslavice@redhat.com, | |rnetuka@redhat.com, | |rsvoboda@redhat.com, | |rwagner@redhat.com, | |tcunning@redhat.com, | |tkirby@redhat.com, | |twalsh@redhat.com, | |vtunka@redhat.com Whiteboard|impact=moderate,public=2017 |impact=moderate,public=2017 |1106,reported=20171108,sour |1106,reported=20171107,sour |ce=cve,cvss3=6.5/CVSS:3.0/A |ce=cve,cvss3=6.5/CVSS:3.0/A |V:N/AC:H/PR:N/UI:N/S:U/C:H/ |V:N/AC:H/PR:N/UI:N/S:U/C:H/ |I:L/A:N,cwe=CWE-611,fedora- |I:L/A:N,cwe=CWE-611,fedora- |all/itext=affected,bpms-6/i |all/itext=affected,bpms-6/i |text=new |text=new,brms-6/itext=new,s | |oap-5/itext=new,eap-5/itext | |=new
https://bugzilla.redhat.com/show_bug.cgi?id=1512827
Martin Prpič mprpic@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2017 |impact=moderate,public=2017 |1106,reported=20171107,sour |1106,reported=20171108,sour |ce=cve,cvss3=6.5/CVSS:3.0/A |ce=cve,cvss3=6.5/CVSS:3.0/A |V:N/AC:H/PR:N/UI:N/S:U/C:H/ |V:N/AC:H/PR:N/UI:N/S:U/C:H/ |I:L/A:N,cwe=CWE-611,fedora- |I:L/A:N,cwe=CWE-611,fedora- |all/itext=affected,bpms-6/i |all/itext=affected,bpms-6/i |text=new,brms-6/itext=new,s |text=new,brms-6/itext=new,s |oap-5/itext=new,eap-5/itext |oap-5/itext=new,eap-5/itext |=new |=new
https://bugzilla.redhat.com/show_bug.cgi?id=1512827
Pavel Polischouk pavelp@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2017 |impact=moderate,public=2017 |1106,reported=20171108,sour |1106,reported=20171108,sour |ce=cve,cvss3=6.5/CVSS:3.0/A |ce=cve,cvss3=6.5/CVSS:3.0/A |V:N/AC:H/PR:N/UI:N/S:U/C:H/ |V:N/AC:H/PR:N/UI:N/S:U/C:H/ |I:L/A:N,cwe=CWE-611,fedora- |I:L/A:N,cwe=CWE-611,fedora- |all/itext=affected,bpms-6/i |all/itext=affected,bpms-6/i |text=new,brms-6/itext=new,s |text=notaffected,brms-6/ite |oap-5/itext=new,eap-5/itext |xt=notaffected,soap-5/itext |=new |=wontfix,eap-5/itext=new
https://bugzilla.redhat.com/show_bug.cgi?id=1512827
Chess Hazlett chazlett@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |WONTFIX Whiteboard|impact=moderate,public=2017 |impact=moderate,public=2017 |1106,reported=20171108,sour |1106,reported=20171108,sour |ce=cve,cvss3=6.5/CVSS:3.0/A |ce=cve,cvss3=6.5/CVSS:3.0/A |V:N/AC:H/PR:N/UI:N/S:U/C:H/ |V:N/AC:H/PR:N/UI:N/S:U/C:H/ |I:L/A:N,cwe=CWE-611,fedora- |I:L/A:N,cwe=CWE-611,fedora- |all/itext=affected,bpms-6/i |all/itext=affected,bpms-6/i |text=notaffected,brms-6/ite |text=notaffected,brms-6/ite |xt=notaffected,soap-5/itext |xt=notaffected,soap-5/itext |=wontfix,eap-5/itext=new |=wontfix,eap-5/itext=wontfi | |x Last Closed| |2018-04-22 19:55:55
https://bugzilla.redhat.com/show_bug.cgi?id=1512827 Bug 1512827 depends on bug 1512828, which changed state.
Bug 1512828 Summary: CVE-2017-9096 itext: External entities not disabled [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1512828
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |EOL
https://bugzilla.redhat.com/show_bug.cgi?id=1512827 Bug 1512827 depends on bug 1512828, which changed state.
Bug 1512828 Summary: CVE-2017-9096 itext: External entities not disabled [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1512828
What |Removed |Added ---------------------------------------------------------------------------- Status|CLOSED |NEW Resolution|EOL |---
java-sig-commits@lists.fedoraproject.org