1527789 – translate-toolkit: Maliciously crafted .XLF files can result arbitrary file read and potential code exection

Bug 1527789 - translate-toolkit: Maliciously crafted .XLF files can result arbitrary file read and potential code exection

Summary: translate-toolkit: Maliciously crafted .XLF files can result arbitrary file r...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1527790
Blocks:
TreeView+	depends on / blocked

Reported:	2017-12-20 06:15 UTC by Sam Fowler
Modified:	2021-10-21 11:58 UTC (History)
CC List:	5 users (show)
Fixed In Version:	translate-toolkit 2.2.0
Clone Of:
Environment:
Last Closed:	2021-10-21 11:58:33 UTC
Embargoed:

Attachments	(Terms of Use)

Description Sam Fowler 2017-12-20 06:15:13 UTC

translate-toolkit before version 2.2.0 is vulnerable to XML External Entity Execution. An attacker could exploit this by supplying a maliciously crafted .XLF file causing an arbitrary file read or potential arbitrary code execution.

References:
https://bugzilla.novell.com/show_bug.cgi?id=1073535
https://github.com/translate/translate/pull/3632/files
https://hackerone.com/reports/232614

Comment 1 Sam Fowler 2017-12-20 06:15:45 UTC

Created translate-toolkit tracking bugs for this issue:

Affects: epel-all [bug 1527790]

Note You need to log in before you can comment on or make changes to this bug.