UbuntuUpdates.org

Package "expat"

Name: expat

Description:

XML parsing C library - example application

Latest version: 2.1.0-7ubuntu0.16.04.5
Release: xenial (16.04)
Level: updates
Repository: universe
Homepage: http://expat.sourceforge.net

Links


Download "expat"


Other versions of "expat" in Xenial

Repository Area Version
base universe 2.1.0-7
security main 2.1.0-7ubuntu0.16.04.5
security universe 2.1.0-7ubuntu0.16.04.5
updates main 2.1.0-7ubuntu0.16.04.5

Changelog

Version: 2.1.0-7ubuntu0.16.04.5 2019-09-12 20:06:30 UTC

  expat (2.1.0-7ubuntu0.16.04.5) xenial-security; urgency=medium

  * SECURITY UPDATE: heap-based buffer over-read
    - debian/patches/CVE-2019-15903.patch: Deny internal
      entities closing the doctype in lib/xmlparse.c.
    - CVE-2019-15903

 -- <email address hidden> (Leonidas S. Barbosa) Tue, 10 Sep 2019 15:27:03 -0300

Source diff to previous version
CVE-2019-15903 In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early; a consecutive call to

Version: 2.1.0-7ubuntu0.16.04.4 2019-06-26 21:06:52 UTC

  expat (2.1.0-7ubuntu0.16.04.4) xenial-security; urgency=medium

  * SECURITY UPDATE: Denial of service
    - debian/patches/CVE-2018-20843.patch: adds a break in
      setElementTypePrefix avoiding consume a high amount of RAM
      and CPU in lib/xmlparser.c
    - CVE-2018-20843

 -- <email address hidden> (Leonidas S. Barbosa) Wed, 26 Jun 2019 12:09:36 -0300

Source diff to previous version
CVE-2018-20843 In libexpat in Expat before 2.2.7, XML input including XML names that contain a large number of colons could make the XML parser consume a high amoun

Version: 2.1.0-7ubuntu0.16.04.3 2017-07-19 18:07:23 UTC

  expat (2.1.0-7ubuntu0.16.04.3) xenial-security; urgency=medium

  * SECURITY UPDATE: external entity infinite loop
    - debian/patches/CVE-2017-9233.patch: add check to lib/xmlparse.c.
    - CVE-2017-9233

 -- Marc Deslauriers <email address hidden> Tue, 27 Jun 2017 09:05:33 -0400

Source diff to previous version

Version: 2.1.0-7ubuntu0.16.04.2 2016-06-20 19:07:04 UTC

  expat (2.1.0-7ubuntu0.16.04.2) xenial-security; urgency=medium

  * SECURITY UPDATE: unanticipated internal calls to srand
    - debian/patches/CVE-2012-6702-1.patch: remove srand, use more entropy
      in lib/xmlparse.c.
    - debian/patches/CVE-2012-6702-2.patch: use a prime that fits 32bits on
      32bit platforms in lib/xmlparse.c.
    - CVE-2012-6702
  * SECURITY UPDATE: use of too little entropy
    - debian/patches/CVE-2016-5300-1.patch: extract method
      gather_time_entropy in lib/xmlparse.c.
    - debian/patches/CVE-2016-5300-2.patch: extract entropy from XML_Parser
      address in lib/xmlparse.c.
    - CVE-2016-5300

 -- Marc Deslauriers <email address hidden> Fri, 10 Jun 2016 08:48:04 -0400

Source diff to previous version
CVE-2012-6702 Expat, when used in a parser that has not called XML_SetHashSalt or passed it a seed of 0, makes it easier for context-dependent attackers to defeat
CVE-2016-5300 The XML parser in Expat does not use sufficient entropy for hash initialization, which allows context-dependent attackers to cause a denial of servic

Version: 2.1.0-7ubuntu0.16.04.1 2016-05-18 15:07:06 UTC

  expat (2.1.0-7ubuntu0.16.04.1) xenial-security; urgency=medium

  * SECURITY UPDATE: denial of service and possible code execution via
    malformed documents
    - debian/patches/CVE-2016-0718.patch: fix out of bounds memory access
      and integer overflow in lib/xmlparse.c, lib/xmltok.c, lib/xmltok.h,
      lib/xmltok_impl.c.
    - CVE-2016-0718
  * SECURITY UPDATE: integer overflows in XML_GetBuffer
    - debian/patches/CVE-2015-1283-refix.patch: improved existing fix in
      lib/xmlparse.c.
    - CVE-2015-1283

 -- Marc Deslauriers <email address hidden> Mon, 16 May 2016 12:47:07 -0400

CVE-2015-1283 Multiple integer overflows in the XML_GetBuffer function in Expat through 2.1.0, as used in Google Chrome before 44.0.2403.89 and other products, all



About   -   Send Feedback to @ubuntu_updates