FreeBSD : raptor/raptor2 -- XXE in RDF/XML File Interpretation (60f81af3-7690-11e1-9423-00235a5f2c9a)

This script is Copyright (C) 2012-2013 Tenable Network Security, Inc.


Synopsis :

The remote FreeBSD host is missing one or more security-related
updates.

Description :

Timothy D. Morgan reports :

In December 2011, VSR identified a vulnerability in multiple open
source office products (including OpenOffice, LibreOffice, KOffice,
and AbiWord) due to unsafe interpretation of XML files with custom
entity declarations. Deeper analysis revealed that the vulnerability
was caused by acceptance of external entities by the libraptor
library, which is used by librdf and is in turn used by these office
products.

In the context of office applications, these vulnerabilities could
allow for XML External Entity (XXE) attacks resulting in file theft
and a loss of user privacy when opening potentially malicious ODF
documents. For other applications which depend on librdf or libraptor,
potentially serious consequences could result from accepting RDF/XML
content from untrusted sources, though the impact may vary widely
depending on the context.

See also :

http://seclists.org/fulldisclosure/2012/Mar/281
http://www.vsecurity.com/resources/advisory/20120324-1/
http://www.nessus.org/u?e584d1f0

Solution :

Update the affected packages.

Risk factor :

Medium / CVSS Base Score : 4.3
(CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)

Family: FreeBSD Local Security Checks

Nessus Plugin ID: 58472 ()

Bugtraq ID:

CVE ID: CVE-2012-0037

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now