[Bug 1173633] VUL-0: CVE-2020-14940: tuxguitar: improper configuration of XML parsers might lead to XXE while loading GP6 (.gpx) and GP7 (.gp) tablature files

http://bugzilla.opensuse.org/show_bug.cgi?id=1173633 http://bugzilla.opensuse.org/show_bug.cgi?id=1173633#c1 --- Comment #1 from Mindaugas Baranauskas <opensuse.lietuviu.kalba@gmail.com> --- openSUSE has Tuxguitar 1.4 instead of 1.5.4 According to OWASP XXE Prevention Cheat Sheet <https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html>, this problem can be solved by proper configuration of a parser: DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); String FEATURE = "http://apache.org/xml/features/disallow-doctype-decl"; dbf.setFeature(FEATURE, true); However I don't know where to patch Tuxguitar... -- You are receiving this mail because: You are on the CC list for the bug.