[Koha] SECURITY release: MARC::File::XML 1.0.2

Galen Charlton gmc at esilibrary.com
Wed Jan 22 07:32:23 NZDT 2014


I have uploaded [1] version 1.0.2 of MARC::File::XML, a Perl module
which is used by Koha. This is a security release that repairs an XML
external entity (XXE) vulnerability.  I know of at least one way that
the vulnerability could be used by an individual who has staff
interface credentials to view the contents of arbitrary files on the
Koha server.

Consequently, I recommend that Koha users arrange to upgrade
MARC::File::XML promptly.  On many Linux systems, this can be done by
running the following command with root privileges:

cpan MARC::File::XML

If the installation fails, the most likely reason is that your version
of ExtUtils::MakeMaker is not recent enough.  You can fix this by
running the following command first, then attempting the installation
of MARC::File::XML again.

cpan ExtUtils::MakeMaker

Please note that at the time of this writing, not all CPAN mirrors
will have the most recent version of MARC::File::XML.

You can check the version of MARC::File::XML that is installed by running:

perl -MMARC::File::XML -e 'print $MARC::File::XML::VERSION, "\n"'

I imagine that an updated Debian package of libmarc-xml-perl will be
made available on debian.koha-community.org at some point as well.
For any users of Koha on Fedora that are out there, Dan Scott will be
packaging MARC::File::XML 1.0.2 shortly.

Please note that older releases of MARC::File::XML prior to the switch
to XML::LibXML are also vulnerable.

Here is the relevant change log entry:

1.0.2 Tue Jan 21 17:18:37 UTC 2014
       - MARC::File::XML will now die upon parsing a record that
         declares an external entity and tries to use it. This
         prevents the potential unwanted disclosure of the contents
         of files on the server by applications that embed this module.
         If, for some reason, an application needs to process MARCXML
         records that contain external entities, set_parser() can be
         used to force the use of an XML::LibXML parser that is
         configured to process external entities.

         The issue was reported by John Lightsey.

[1] https://metacpan.org/release/GMCHARLT/MARC-XML-1.0.2


Galen Charlton
Manager of Implementation
Equinox Software, Inc. / The Open Source Experts
email:  gmc at esilibrary.com
direct: +1 770-709-5581
cell:   +1 404-984-4366
skype:  gmcharlt
web:    http://www.esilibrary.com/
Supporting Koha and Evergreen: http://koha-community.org &

More information about the Koha mailing list