expat: CVE-2009-2625

Debian Bug report logs - #551936
expat: CVE-2009-2625

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <michael.s.gilbert@gmail.com>

To: submit@bugs.debian.org

Subject: expat: CVE-2009-2625

Date: Wed, 21 Oct 2009 18:38:32 -0400

package: expat
version: 1.95.8-3
severity: serious
tags: security

hello, a security issue has been disclosed for expat.  see [0],[1].
this affects all supported debian releases, so please coordinate with
the security team to prepare DSAs.

mike

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2625
[1] https://bugs.gentoo.org/show_bug.cgi?id=280615

Message #10 received at 551936@bugs.debian.org (full text, mbox, reply):

From: Daniel Leidert <daniel.leidert@wgdd.de>

To: 551936@bugs.debian.org

Cc: team@security.debian.org

Subject: Re: Bug#551936: expat: CVE-2009-2625

Date: Sun, 25 Oct 2009 23:05:30 +0100

[Message part 1 (text/plain, inline)]

Hi security team,

I recently received this bug report:

Am Mittwoch, den 21.10.2009, 18:38 -0400 schrieb Michael Gilbert:
> package: expat
> version: 1.95.8-3
> severity: serious
> tags: security
> 
> hello, a security issue has been disclosed for expat.  see [0],[1].
> this affects all supported debian releases, so please coordinate with
> the security team to prepare DSAs.
>
> mike
> 
> [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2625
> [1] https://bugs.gentoo.org/show_bug.cgi?id=280615

The dpatch patch is already available at
http://svn.debian.org/wsvn/debian-xml-sgml/packages/expat/trunk/debian/patches/551936_CVE_2009_2625.dpatch

Shall I prepare the packages (I'm registered as DM for expat > 2.0.1,
but not for expat in oldstable) or do you want to do this?

Regards, Daniel

[signature.asc (application/pgp-signature, inline)]

Message #15 received at 551936@bugs.debian.org (full text, mbox, reply):

From: Giuseppe Iuculano <giuseppe@iuculano.it>

To: Daniel Leidert <daniel.leidert@wgdd.de>

Cc: 551936@bugs.debian.org, team@security.debian.org

Subject: Re: Bug#551936: expat: CVE-2009-2625

Date: Mon, 26 Oct 2009 12:55:57 +0100

[Message part 1 (text/plain, inline)]

Hi,

Daniel Leidert ha scritto:
> The dpatch patch is already available at
> http://svn.debian.org/wsvn/debian-xml-sgml/packages/expat/trunk/debian/patches/551936_CVE_2009_2625.dpatch
> 
> Shall I prepare the packages (I'm registered as DM for expat > 2.0.1,
> but not for expat in oldstable) or do you want to do this?

Please prepare packages for stable and oldstable, and mail us the debdiffs (DMs
can't upload on security-master).

Cheers,
Giuseppe.

[signature.asc (application/pgp-signature, attachment)]

Message #20 received at 551936@bugs.debian.org (full text, mbox, reply):

From: Daniel Leidert <daniel.leidert@wgdd.de>

To: Giuseppe Iuculano <giuseppe@iuculano.it>

Cc: 551936@bugs.debian.org, team@security.debian.org

Subject: Re: Bug#551936: expat: CVE-2009-2625

Date: Mon, 26 Oct 2009 15:29:54 +0100

[Message part 1 (text/plain, inline)]

Am Montag, den 26.10.2009, 12:55 +0100 schrieb Giuseppe Iuculano:
> Daniel Leidert ha scritto:
> > The dpatch patch is already available at
> > http://svn.debian.org/wsvn/debian-xml-sgml/packages/expat/trunk/debian/patches/551936_CVE_2009_2625.dpatch
> > 
> > Shall I prepare the packages (I'm registered as DM for expat > 2.0.1,
> > but not for expat in oldstable) or do you want to do this?
> 
> Please prepare packages for stable and oldstable, and mail us the debdiffs (DMs
> can't upload on security-master).

Attached are the debdiffs for stable and oldstable.

Regards, Daniel

[expat_1.95.8-3.4+etch4.debdiff (text/x-patch, attachment)]

[expat_2.0.1-4+lenny1.debdiff (text/x-patch, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #25 received at 551936-close@bugs.debian.org (full text, mbox, reply):

From: Daniel Leidert (dale) <daniel.leidert@wgdd.de>

To: 551936-close@bugs.debian.org

Subject: Bug#551936: fixed in expat 2.0.1-5

Date: Wed, 04 Nov 2009 01:32:18 +0000

Source: expat
Source-Version: 2.0.1-5

We believe that the bug you reported is fixed in the latest version of
expat, which is due to be installed in the Debian FTP archive:

expat_2.0.1-5.diff.gz
  to main/e/expat/expat_2.0.1-5.diff.gz
expat_2.0.1-5.dsc
  to main/e/expat/expat_2.0.1-5.dsc
expat_2.0.1-5_amd64.deb
  to main/e/expat/expat_2.0.1-5_amd64.deb
libexpat1-dev_2.0.1-5_amd64.deb
  to main/e/expat/libexpat1-dev_2.0.1-5_amd64.deb
libexpat1-udeb_2.0.1-5_amd64.udeb
  to main/e/expat/libexpat1-udeb_2.0.1-5_amd64.udeb
libexpat1_2.0.1-5_amd64.deb
  to main/e/expat/libexpat1_2.0.1-5_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 551936@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Daniel Leidert (dale) <daniel.leidert@wgdd.de> (supplier of updated expat package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 03 Nov 2009 22:41:38 +0100
Source: expat
Binary: lib64expat1-dev lib64expat1 libexpat1-dev libexpat1 libexpat1-udeb expat
Architecture: source amd64
Version: 2.0.1-5
Distribution: unstable
Urgency: medium
Maintainer: Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>
Changed-By: Daniel Leidert (dale) <daniel.leidert@wgdd.de>
Description: 
 expat      - XML parsing C library - example application
 lib64expat1 - XML parsing C library - runtime library (64bit)
 lib64expat1-dev - XML parsing C library - development kit (64bit)
 libexpat1  - XML parsing C library - runtime library
 libexpat1-dev - XML parsing C library - development kit
 libexpat1-udeb - XML parsing C library - runtime library (udeb)
Closes: 551079 551936
Changes: 
 expat (2.0.1-5) unstable; urgency=medium
 .
   * debian/control (Standards-Version): Bumped to 3.8.3.
     (Priority, Section): Fixed binary-control-field-duplicates-source.
     (Description): Fixed extended-description-is-probably-too-short and
     duplicate-long-description.
   * debian/rules (CFLAGS): Drop useless '-pthread -D_REENTRANT' from version
     1.95-8-1 (closes: #551079).
   * debian/README.source: Added for policy compliance.
   * debian/patches/551936_CVE_2009_2625.dpatch: Added.
     - lib/xmltok_impl.c (updatePosition): Fix DoS vulnerability CVE-2009-2625
       (closes: #551936).
   * debian/patches/00list: Adjusted.
Checksums-Sha1: 
 191fc64f41f122338db27baa49f32499d1203b65 1418 expat_2.0.1-5.dsc
 2c3ae13b6c1312fe618fe9ba3ee82946999d82b4 133746 expat_2.0.1-5.diff.gz
 5ae92c235cd43390cc285127bade6a0ab0bba678 223424 libexpat1-dev_2.0.1-5_amd64.deb
 0b0e0784b7404bb63a62b110c9c57627fcdbe4b7 135480 libexpat1_2.0.1-5_amd64.deb
 8787186f113ed1f783f78062f6c39336e99060fc 62350 libexpat1-udeb_2.0.1-5_amd64.udeb
 f7eda87cf4d2557c59fa014d899235f87ef0f68d 23878 expat_2.0.1-5_amd64.deb
Checksums-Sha256: 
 4c4439415f2f2e3aaddfbe372e18025b82f71365f169ba15b7a4f7634570a403 1418 expat_2.0.1-5.dsc
 fbcc8e540c6a1f2cdba31b20d10ff6253b9525641f32e6acf507eda98a0f2204 133746 expat_2.0.1-5.diff.gz
 424a7ef785b8f8087e6be536f4620c61a218507fe2211c696f7df3ef26d38671 223424 libexpat1-dev_2.0.1-5_amd64.deb
 218da3aba042af05bd2b4e11085d55724f9b9a469812f50b6c48cb27fe28e9c0 135480 libexpat1_2.0.1-5_amd64.deb
 fbe0486762a397fdda63acb851a35da0c651207075040c10b243b9a1852d04fc 62350 libexpat1-udeb_2.0.1-5_amd64.udeb
 43facd52ef9587800869ddf0d3ea66104640bc53e4f0c6ee918b1aa45eddc4c3 23878 expat_2.0.1-5_amd64.deb
Files: 
 fd3b353c53d500d84665262f2fdee8c0 1418 text optional expat_2.0.1-5.dsc
 b992b69e77a7bb9eb7a62a7b851c80f6 133746 text optional expat_2.0.1-5.diff.gz
 c688ea7137c2244607e8072e446cb380 223424 libdevel optional libexpat1-dev_2.0.1-5_amd64.deb
 92be45942a41bb79b21289d0528c070b 135480 libs optional libexpat1_2.0.1-5_amd64.deb
 7cfb0f54c431d5aed3eaaed998dafbc6 62350 debian-installer extra libexpat1-udeb_2.0.1-5_amd64.udeb
 585c73f25ec6eb1b280846e5a86d8f38 23878 text optional expat_2.0.1-5_amd64.deb
Package-Type: udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkrwpIYACgkQm0bx+wiPa4ydqwCglVN6oY4NQCM/lI4qlkK/1RmZ
2OgAoM/roHFrdvEpZ8tGrX/mMDk8aPWu
=6jpE
-----END PGP SIGNATURE-----

Message #30 received at 551936-close@bugs.debian.org (full text, mbox, reply):

From: Daniel Leidert (dale) <daniel.leidert@wgdd.de>

To: 551936-close@bugs.debian.org

Subject: Bug#551936: fixed in expat 1.95.8-3.4+etch4

Date: Wed, 16 Dec 2009 23:43:55 +0000

Source: expat
Source-Version: 1.95.8-3.4+etch4

We believe that the bug you reported is fixed in the latest version of
expat, which is due to be installed in the Debian FTP archive:

expat_1.95.8-3.4+etch4.diff.gz
  to main/e/expat/expat_1.95.8-3.4+etch4.diff.gz
expat_1.95.8-3.4+etch4.dsc
  to main/e/expat/expat_1.95.8-3.4+etch4.dsc
expat_1.95.8-3.4+etch4_i386.deb
  to main/e/expat/expat_1.95.8-3.4+etch4_i386.deb
libexpat1-dev_1.95.8-3.4+etch4_i386.deb
  to main/e/expat/libexpat1-dev_1.95.8-3.4+etch4_i386.deb
libexpat1-udeb_1.95.8-3.4+etch4_i386.udeb
  to main/e/expat/libexpat1-udeb_1.95.8-3.4+etch4_i386.udeb
libexpat1_1.95.8-3.4+etch4_i386.deb
  to main/e/expat/libexpat1_1.95.8-3.4+etch4_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 551936@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Daniel Leidert (dale) <daniel.leidert@wgdd.de> (supplier of updated expat package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 26 Oct 2009 15:21:49 +0100
Source: expat
Binary: libexpat1 libexpat1-dev expat libexpat1-udeb
Architecture: source i386
Version: 1.95.8-3.4+etch4
Distribution: oldstable-security
Urgency: medium
Maintainer: Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>
Changed-By: Daniel Leidert (dale) <daniel.leidert@wgdd.de>
Description: 
 expat      - XML parsing C library - example application
 libexpat1  - XML parsing C library - runtime library
 libexpat1-dev - XML parsing C library - development kit
 libexpat1-udeb - XML parsing C library - runtime library (udeb)
Closes: 551936
Changes: 
 expat (1.95.8-3.4+etch4) oldstable-security; urgency=medium
 .
   * NMU to old stable to fix security issues.
   * CVE-2009-2625: Fix DoS vulnerability (closes: #551936).
Files: 
 0a87419bbdae53aeacaf08eef449f8b3 711 text optional expat_1.95.8-3.4+etch4.dsc
 aff487543845a82fe262e6e2922b4c8e 318349 text optional expat_1.95.8.orig.tar.gz
 b78006808401dff164db95fd8f2499f0 413057 text optional expat_1.95.8-3.4+etch4.diff.gz
 ad28064754c7f1fb08035ad626647448 128180 libdevel optional libexpat1-dev_1.95.8-3.4+etch4_i386.deb
 0554efb1bbae1faa50d1c5c5a0038dfc 63076 libs optional libexpat1_1.95.8-3.4+etch4_i386.deb
 e2df0e10b8466ca1f5534145f432b4fe 54964 debian-installer extra libexpat1-udeb_1.95.8-3.4+etch4_i386.udeb
 6e8dbc3e542af0a3c9b6970014c7e5e4 21034 text optional expat_1.95.8-3.4+etch4_i386.deb
Package-Type: udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkrm4oAACgkQNxpp46476ar1FACdEtpDCjdYgEmEkbmF82uey/VR
zvwAniANoArXBFI0zOkeJrQBIez8C1Eo
=zFZI
-----END PGP SIGNATURE-----

Message #35 received at 551936-close@bugs.debian.org (full text, mbox, reply):

From: Daniel Leidert (dale) <daniel.leidert@wgdd.de>

To: 551936-close@bugs.debian.org

Subject: Bug#551936: fixed in expat 2.0.1-4+lenny1

Date: Wed, 16 Dec 2009 23:47:55 +0000

Source: expat
Source-Version: 2.0.1-4+lenny1

We believe that the bug you reported is fixed in the latest version of
expat, which is due to be installed in the Debian FTP archive:

expat_2.0.1-4+lenny1.diff.gz
  to main/e/expat/expat_2.0.1-4+lenny1.diff.gz
expat_2.0.1-4+lenny1.dsc
  to main/e/expat/expat_2.0.1-4+lenny1.dsc
expat_2.0.1-4+lenny1_i386.deb
  to main/e/expat/expat_2.0.1-4+lenny1_i386.deb
lib64expat1-dev_2.0.1-4+lenny1_i386.deb
  to main/e/expat/lib64expat1-dev_2.0.1-4+lenny1_i386.deb
lib64expat1_2.0.1-4+lenny1_i386.deb
  to main/e/expat/lib64expat1_2.0.1-4+lenny1_i386.deb
libexpat1-dev_2.0.1-4+lenny1_i386.deb
  to main/e/expat/libexpat1-dev_2.0.1-4+lenny1_i386.deb
libexpat1-udeb_2.0.1-4+lenny1_i386.udeb
  to main/e/expat/libexpat1-udeb_2.0.1-4+lenny1_i386.udeb
libexpat1_2.0.1-4+lenny1_i386.deb
  to main/e/expat/libexpat1_2.0.1-4+lenny1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 551936@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Daniel Leidert (dale) <daniel.leidert@wgdd.de> (supplier of updated expat package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 26 Oct 2009 15:13:25 +0100
Source: expat
Binary: lib64expat1-dev lib64expat1 libexpat1-dev libexpat1 libexpat1-udeb expat
Architecture: source i386
Version: 2.0.1-4+lenny1
Distribution: stable-security
Urgency: medium
Maintainer: Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>
Changed-By: Daniel Leidert (dale) <daniel.leidert@wgdd.de>
Description: 
 expat      - XML parsing C library - example application
 lib64expat1 - XML parsing C library - runtime library (64bit)
 lib64expat1-dev - XML parsing C library - development kit (64bit)
 libexpat1  - XML parsing C library - runtime library
 libexpat1-dev - XML parsing C library - development kit
 libexpat1-udeb - XML parsing C library - runtime library (udeb)
Closes: 551936
Changes: 
 expat (2.0.1-4+lenny1) stable-security; urgency=medium
 .
   * Upload to stable to fix security issues.
   * debian/patches/551936_CVE_2009_2625.dpatch: Added.
     - lib/xmltok_impl.c (updatePosition): Fix DoS vulnerability CVE-2009-2625
       (closes: #551936).
   * debian/patches/00list: Adjusted.
Checksums-Sha1: 
 13dd9c4d5903e7fcdfd8c3a16cae40bcb8c2bfb1 1446 expat_2.0.1-4+lenny1.dsc
 663548c37b996082db1f2f2c32af060d7aa15c2d 446456 expat_2.0.1.orig.tar.gz
 bbdd73146df0bc0bd02a41383e0734192c3f86b2 133411 expat_2.0.1-4+lenny1.diff.gz
 3f7402940b0c7d7ab168e00ca2851810f5780075 166714 lib64expat1-dev_2.0.1-4+lenny1_i386.deb
 821148577ef16f440f4041046e606499dc2bb264 136372 lib64expat1_2.0.1-4+lenny1_i386.deb
 468c0435e2d0d4c2ac4e55b0329c45ea469bcb98 210960 libexpat1-dev_2.0.1-4+lenny1_i386.deb
 de813081d3f2640456d93d0d73c2089fda00be8f 131890 libexpat1_2.0.1-4+lenny1_i386.deb
 3d50f3dab8ff5679b86e23cf77e1d6f6c72651ab 60860 libexpat1-udeb_2.0.1-4+lenny1_i386.udeb
 66f496d7c3cb57e57fcc9e69af8b16983972fd80 23152 expat_2.0.1-4+lenny1_i386.deb
Checksums-Sha256: 
 5d2b26037eccf07725ec6c5b2d9afc8a8b1a86f95047229f6a73ede7252890fe 1446 expat_2.0.1-4+lenny1.dsc
 847660b4df86e707c9150e33cd8c25bc5cd828f708c7418e765e3e983a2e5e93 446456 expat_2.0.1.orig.tar.gz
 80811e6b17b91ad3e139f140e688188afde83c56cd21eff6ee010d5246131109 133411 expat_2.0.1-4+lenny1.diff.gz
 06217c4239489c4f039e857e4ffbb030e530a0b7e15df45b2f511857eec360e9 166714 lib64expat1-dev_2.0.1-4+lenny1_i386.deb
 3c6e37d7f1a850f40f3fda780f69c46db958d93d8ab639e2a65c0d6674cea3d3 136372 lib64expat1_2.0.1-4+lenny1_i386.deb
 32844e2c4f64c5be1bd29669e796e84bb9c2142ac7f18ccea053b3cc342aff09 210960 libexpat1-dev_2.0.1-4+lenny1_i386.deb
 82a026a02277c14dd152a43f3c22b3533c4bf6416132e2632aedd3b6ae2c35a1 131890 libexpat1_2.0.1-4+lenny1_i386.deb
 78b27865c944472485bbcd84e1592d443f957b0f1f4af361e810487c7164a0cb 60860 libexpat1-udeb_2.0.1-4+lenny1_i386.udeb
 b7d3f3fc6ff6ea66390a817d8c259cf43a153bdf02249321d5702fde1ac47627 23152 expat_2.0.1-4+lenny1_i386.deb
Files: 
 4f069e17ff00f0b1fb810560bce5db05 1446 text optional expat_2.0.1-4+lenny1.dsc
 ee8b492592568805593f81f8cdf2a04c 446456 text optional expat_2.0.1.orig.tar.gz
 b5dc224140f8bcdfeab899c9a2aeaf4f 133411 text optional expat_2.0.1-4+lenny1.diff.gz
 6371c41f37ac8c15f9c311d6466a263c 166714 libdevel optional lib64expat1-dev_2.0.1-4+lenny1_i386.deb
 910e7dc6c260cb7061b100738d8a1637 136372 libs optional lib64expat1_2.0.1-4+lenny1_i386.deb
 d45ab14f22aedda35b035e608cba7709 210960 libdevel optional libexpat1-dev_2.0.1-4+lenny1_i386.deb
 5091b56525caf7de535b6d5ca76c8f8d 131890 libs optional libexpat1_2.0.1-4+lenny1_i386.deb
 73e491d5110ed35e4c005d244669e766 60860 debian-installer extra libexpat1-udeb_2.0.1-4+lenny1_i386.udeb
 d1e24f461306e329e74b0314a549dad6 23152 text optional expat_2.0.1-4+lenny1_i386.deb
Package-Type: udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkrm5QgACgkQNxpp46476arqHQCeKR/0nA2e3VKKxWwiaLPnIUc1
eGUAniwc3YYRUsnM89fY+0yYoJoAH+0N
=Ido5
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.