Debian Bug report logs -
#931031
expat: CVE-2018-20843
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>:
Bug#931031; Package src:expat.
(Mon, 24 Jun 2019 20:54:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>.
(Mon, 24 Jun 2019 20:54:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: expat
Version: 2.2.6-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/libexpat/libexpat/issues/186
Hi,
The following vulnerability was published for expat.
CVE-2018-20843[0]:
| In libexpat in Expat before 2.2.7, XML input including XML names that
| contain a large number of colons could make the XML parser consume a
| high amount of RAM and CPU resources while processing (enough to be
| usable for denial-of-service attacks).
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-20843
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20843
[1] https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5226
[2] https://github.com/libexpat/libexpat/issues/186
[3] https://github.com/libexpat/libexpat/pull/262
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Reply sent
to Laszlo Boszormenyi (GCS) <gcs@debian.org>:
You have taken responsibility.
(Mon, 24 Jun 2019 23:21:08 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Mon, 24 Jun 2019 23:21:08 GMT) (full text, mbox, link).
Message #10 received at 931031-close@bugs.debian.org (full text, mbox, reply):
Source: expat
Source-Version: 2.2.6-2
We believe that the bug you reported is fixed in the latest version of
expat, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 931031@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <gcs@debian.org> (supplier of updated expat package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 24 Jun 2019 21:18:31 +0000
Source: expat
Architecture: source
Version: 2.2.6-2
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Changed-By: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Closes: 931031
Changes:
expat (2.2.6-2) unstable; urgency=high
.
* Fix extraction of namespace prefix from XML name (CVE-2018-20843)
(closes: #931031).
Checksums-Sha1:
cac5269f06cf8c3601248c464d766246879951ed 1949 expat_2.2.6-2.dsc
812d2b99af7787a00563a157b634c4659810b965 11108 expat_2.2.6-2.debian.tar.xz
a499c87f5d6315a5c5dec78458705546b37441d0 9116 expat_2.2.6-2_amd64.buildinfo
Checksums-Sha256:
50fb4a3159f1aeb91e23caa1d329579df956514dc42866b4c3fef0e66cb0915e 1949 expat_2.2.6-2.dsc
678c073cecab66cc5ea0feaf02626db4300008d9c20df9ebe81958944af31673 11108 expat_2.2.6-2.debian.tar.xz
999a22bf3a1cdc63cfd271c167190e1a6c4d4ef2edb4ff2ac2a02730e72b13af 9116 expat_2.2.6-2_amd64.buildinfo
Files:
b4e611eafffd359a8a352381c579e171 1949 text optional expat_2.2.6-2.dsc
b1606df0dc20bff98ea616169130c48b 11108 text optional expat_2.2.6-2.debian.tar.xz
144a2d346b628b48273514c6cbc1f8c8 9116 text optional expat_2.2.6-2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAl0RSa4ACgkQ3OMQ54ZM
yL8pew//TjET5LXStbtipVyvdeiLSOvLDDvOo9JmBuHB4ebzLjEod3rASXMUaHWh
ZSPyTohmjnI/OFvDZkRYytktGsDMAGKyHBQkFJqd66c83/RIvLuFdLu/M3qNfONQ
JDpvDiaqFbmVb9EctqTBgC3vp37Y6LQzhBZHhz6Je8PcWVWm7fGwCy+2W7B+L3nM
NzS3/fG3pvyPs9/ew6ZmU5chJwjZQyeMYoOu/ZKeENQaqsZhpXVGVK45ji1ogG7x
Sll94RYmLUaq73Q93bmemNlx3xcDRvwh0JXOu5BMDI618Oe73orUM6L4VyGAzF3X
RigMTPLzB9vxSr12Y6OC2BaCxeF1M0rPOF6SscBqLCShD4kYCtIgZrkuGCA4HrXt
jSlfF5Sq6Ngojt/942OCFPPORUfd4yno4d/K3I8TMEfY2J4cTS0fp0dqmNW39Gy1
EM+VNwABIAV9MJ0DfOBYDPqpdYs4Y/YSznK4R71Z7Am6Q9VkbTcplU11c4VBP6e+
EzNbNUBiR5j9+N5vlOi0sFt6AXRapFN/RW1WM5P2pHpNpenEV3XXQjfw7/k0Lh4H
dRRtAvLaAN8zxLm1ZIJUq1M+8iczM8xLVq4erhlZPI4TIWwLR44KGU1QRplUnGhm
Y6Tu7JIyCxVxHZabTlksqzMvA4224Z+b4aAS3U1epgTUemt953I=
=qqe2
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Tue Jun 25 12:56:52 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon