UbuntuUpdates.org

Package "expat"

Name: expat

Description:

XML parsing C library - example application

Latest version: 2.0.1-7.2ubuntu1.7
Release: precise (12.04)
Level: security
Repository: main
Homepage: http://expat.sourceforge.net

Links


Download "expat"


Other versions of "expat" in Precise

Repository Area Version
base main 2.0.1-7.2ubuntu1
updates main 2.0.1-7.2ubuntu1.7

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 2.0.1-7.2ubuntu1.7 2021-05-03 14:07:14 UTC

  expat (2.0.1-7.2ubuntu1.7) precise-security; urgency=medium

  * SECURITY UPDATE: heap-based buffer over-read
    - debian/patches/CVE-2019-15903.dpatch: Deny internal
      entities closing the doctype in lib/xmlparse.c.
    - CVE-2019-15903

 -- <email address hidden> (Leonidas S. Barbosa) Tue, 10 Sep 2019 11:42:28 -0300

Source diff to previous version
CVE-2019-15903 In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early; a consecutive call to

Version: 2.0.1-7.2ubuntu1.4 2016-06-20 18:06:49 UTC

  expat (2.0.1-7.2ubuntu1.4) precise-security; urgency=medium

  * SECURITY UPDATE: unanticipated internal calls to srand
    - debian/patches/CVE-2012-6702-1.dpatch: remove srand, use more entropy
      in lib/xmlparse.c.
    - debian/patches/CVE-2012-6702-2.dpatch: use a prime that fits 32bits
      on 32bit platforms in lib/xmlparse.c.
    - CVE-2012-6702
  * SECURITY UPDATE: use of too little entropy
    - debian/patches/CVE-2016-5300-1.dpatch: extract method
      gather_time_entropy in lib/xmlparse.c.
    - debian/patches/CVE-2016-5300-2.dpatch: extract entropy from
      XML_Parser address in lib/xmlparse.c.
    - CVE-2016-5300

 -- Marc Deslauriers <email address hidden> Fri, 10 Jun 2016 08:54:12 -0400

Source diff to previous version
CVE-2012-6702 Expat, when used in a parser that has not called XML_SetHashSalt or passed it a seed of 0, makes it easier for context-dependent attackers to defeat
CVE-2016-5300 The XML parser in Expat does not use sufficient entropy for hash initialization, which allows context-dependent attackers to cause a denial of servic

Version: 2.0.1-7.2ubuntu1.3 2016-05-18 12:07:20 UTC

  expat (2.0.1-7.2ubuntu1.3) precise-security; urgency=medium

  * SECURITY UPDATE: denial of service and possible code execution via
    malformed documents
    - debian/patches/CVE-2016-0718.dpatch: fix out of bounds memory access
      and integer overflow in lib/xmlparse.c, lib/xmltok.c, lib/xmltok.h,
      lib/xmltok_impl.c.
    - CVE-2016-0718
  * SECURITY UPDATE: integer overflows in XML_GetBuffer
    - debian/patches/CVE-2015-1283-refix.dpatch: improved existing fix in
      lib/xmlparse.c.
    - CVE-2015-1283

 -- Marc Deslauriers <email address hidden> Mon, 16 May 2016 12:54:36 -0400

Source diff to previous version
CVE-2015-1283 Multiple integer overflows in the XML_GetBuffer function in Expat through 2.1.0, as used in Google Chrome before 44.0.2403.89 and other products, all

Version: 2.0.1-7.2ubuntu1.2 2015-08-31 18:06:38 UTC

  expat (2.0.1-7.2ubuntu1.2) precise-security; urgency=medium

  * SECURITY UPDATE: integer overflows in XML_GetBuffer
    - debian/patches/CVE-2015-1283.dpatch: add checks to lib/xmlparse.c.
    - CVE-2015-1283

 -- Marc Deslauriers Fri, 28 Aug 2015 09:33:57 -0400

Source diff to previous version
CVE-2015-1283 Multiple integer overflows in the XML_GetBuffer function in Expat through 2.1.0, as used in Google Chrome before 44.0.2403.89 and other products, all

Version: 2.0.1-7.2ubuntu1.1 2012-08-10 04:06:54 UTC

  expat (2.0.1-7.2ubuntu1.1) precise-security; urgency=low

  * SECURITY UPDATE: Denial of service via memory leak
    - debian/patches/788888_CVE_2012_1148.dpatch: Properly reallocate memory.
      Based on upstream patch.
    - CVE-2012-1148
 -- Tyler Hicks <email address hidden> Thu, 09 Aug 2012 11:15:38 -0700

CVE-2012-1148 Memory leak in the poolGrow function in expat/lib/xmlparse.c in expat before 2.1.0 allows context-dependent attackers to cause a denial of service (me



About   -   Send Feedback to @ubuntu_updates