Debian Bug report logs -
#663579
Three security issues
Reported by: Moritz Muehlenhoff <muehlenhoff@univention.de>
Date: Mon, 12 Mar 2012 13:51:11 UTC
Severity: grave
Tags: security
Found in version expat/2.0.1-7
Fixed in version expat/2.1.0~beta3-1
Done: Matthias Klose <doko@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>:
Bug#663579; Package libexpat1.
(Mon, 12 Mar 2012 13:51:20 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <muehlenhoff@univention.de>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>.
(Mon, 12 Mar 2012 13:51:21 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: libexpat1
Severity: grave
Tags: security
Three denial of service issues have been discovered in Expat:
#2895533: CVE-2012-1147 - Resource leak in readfilemap.c.
http://mail.python.org/pipermail/expat-bugs/2009-November/002858.html
http://sourceforge.net/tracker/?func=detail&aid=2895533&group_id=10127&atid=110127
https://bugzilla.redhat.com/show_bug.cgi?id=801634
#2958794: CVE-2012-1148 - Memory leak in poolGrow.
http://mail.python.org/pipermail/expat-bugs/2010-February/002870.html
http://sourceforge.net/tracker/?func=detail&atid=110127&aid=2958794&group_id=10127
https://bugzilla.redhat.com/show_bug.cgi?id=801648
#3496608: CVE-2012-0876 - Hash DOS attack.
http://blog.gmane.org/gmane.text.xml.expat.bugs/month=20120301
http://sourceforge.net/tracker/?func=detail&atid=110127&aid=3496608&group_id=10127
https://bugzilla.redhat.com/show_bug.cgi?id=786617
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>:
Bug#663579; Package libexpat1.
(Thu, 15 Mar 2012 01:48:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Matthias Klose <doko@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>.
(Thu, 15 Mar 2012 01:48:02 GMT) (full text, mbox, link).
Message #10 received at 663579@bugs.debian.org (full text, mbox, reply):
Moritz,
the package is orphaned, the only open issues are those filed by yourself.
Please just do a QA upload, or package the 2.1beta3 release.
A patch for the most recent CVE can be found at
http://launchpadlibrarian.net/96838022/expat_2.0.1-7.2_2.0.1-7.2ubuntu1.diff.gz
Thanks, Matthias
Reply sent
to Matthias Klose <doko@debian.org>:
You have taken responsibility.
(Tue, 20 Mar 2012 21:51:16 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <muehlenhoff@univention.de>:
Bug acknowledged by developer.
(Tue, 20 Mar 2012 21:51:16 GMT) (full text, mbox, link).
Message #15 received at 663579-close@bugs.debian.org (full text, mbox, reply):
Source: expat
Source-Version: 2.1.0~beta3-1
We believe that the bug you reported is fixed in the latest version of
expat, which is due to be installed in the Debian FTP archive:
expat_2.1.0~beta3-1.debian.tar.gz
to main/e/expat/expat_2.1.0~beta3-1.debian.tar.gz
expat_2.1.0~beta3-1.dsc
to main/e/expat/expat_2.1.0~beta3-1.dsc
expat_2.1.0~beta3-1_amd64.deb
to main/e/expat/expat_2.1.0~beta3-1_amd64.deb
expat_2.1.0~beta3.orig.tar.gz
to main/e/expat/expat_2.1.0~beta3.orig.tar.gz
libexpat1-dev_2.1.0~beta3-1_amd64.deb
to main/e/expat/libexpat1-dev_2.1.0~beta3-1_amd64.deb
libexpat1-udeb_2.1.0~beta3-1_amd64.udeb
to main/e/expat/libexpat1-udeb_2.1.0~beta3-1_amd64.udeb
libexpat1_2.1.0~beta3-1_amd64.deb
to main/e/expat/libexpat1_2.1.0~beta3-1_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 663579@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Matthias Klose <doko@debian.org> (supplier of updated expat package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Tue, 20 Mar 2012 22:37:22 +0100
Source: expat
Binary: lib64expat1-dev lib64expat1 libexpat1-dev libexpat1 libexpat1-udeb expat
Architecture: source amd64
Version: 2.1.0~beta3-1
Distribution: unstable
Urgency: low
Maintainer: Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>
Changed-By: Matthias Klose <doko@debian.org>
Description:
expat - XML parsing C library - example application
lib64expat1 - XML parsing C library - runtime library (64bit)
lib64expat1-dev - XML parsing C library - development kit (64bit)
libexpat1 - XML parsing C library - runtime library
libexpat1-dev - XML parsing C library - development kit
libexpat1-udeb - XML parsing C library - runtime library (udeb)
Closes: 653526 663579
Changes:
expat (2.1.0~beta3-1) unstable; urgency=low
.
* QA upload.
* Beta release 2.1.0 beta3. Closes: #663579.
- CVE-2012-1147 - Resource leak in readfilemap.c.
- CVE-2012-1148 - Memory leak in poolGrow.
- CVE-2012-0876 - Hash DOS attack.
- Remove patches applied upstream.
* Remove Daniel from uploaders (orphaned package).
* Update package format to 3.0.
* Enable hardened build. Closes: #653526.
* Add a symbols file.
* Install expat pkgconfig file.
Checksums-Sha1:
fd32acbb0e95acbf053fc923bb82a9e818d8ad90 1668 expat_2.1.0~beta3-1.dsc
956e05916d4840c46ca9f5377a01b13cafc4b510 562612 expat_2.1.0~beta3.orig.tar.gz
e9b43a6ceaa29cb4f67f993b28479947be530821 11215 expat_2.1.0~beta3-1.debian.tar.gz
3bf346aaa2f70e47db98c3a9ef116ead2482e869 228726 libexpat1-dev_2.1.0~beta3-1_amd64.deb
955a8f3b96d0ca9605394a136789f76f2d7a9852 141224 libexpat1_2.1.0~beta3-1_amd64.deb
d14b3cfa1fdbdbdb0fb3c389e0c3f2f629ba196f 64002 libexpat1-udeb_2.1.0~beta3-1_amd64.udeb
3feec5019c797f7f6b5bbf69575bff0a99b804a2 25528 expat_2.1.0~beta3-1_amd64.deb
Checksums-Sha256:
0fab203660ce7a428700f8c73c3a454bd642db8bfe2952d012533a0db63941d0 1668 expat_2.1.0~beta3-1.dsc
69d2ec90d46b1308ffd2f4e8f2f269124951f9c12314d422df8f47fe315f2aa6 562612 expat_2.1.0~beta3.orig.tar.gz
2c86348cf039984fc36fcd5b04f3b0f4a257a68241434838f764be3ad1eb66ee 11215 expat_2.1.0~beta3-1.debian.tar.gz
4984da0f180fbbdbf615b67e21a4f2a5fb39d108d375898433e7d53c5a497033 228726 libexpat1-dev_2.1.0~beta3-1_amd64.deb
08a351bc8a931dfd325ac3ffe92c127131915b16b9aec0e2e33ee6dbd65c4235 141224 libexpat1_2.1.0~beta3-1_amd64.deb
2e02b506972ba43a931f801b1bb89256d367b576a5e2eb68597d5db0627c81a4 64002 libexpat1-udeb_2.1.0~beta3-1_amd64.udeb
eb0ae403c854463b00e374abc25e69944a19c47e07ab6d591c38fc60bee32f5c 25528 expat_2.1.0~beta3-1_amd64.deb
Files:
653907dadc72958e6044fb26b39d0c57 1668 text optional expat_2.1.0~beta3-1.dsc
34ef793d4eafd96af6df4d96b134c95f 562612 text optional expat_2.1.0~beta3.orig.tar.gz
1acb619c3e2a06ba83605ba7e5a56ca7 11215 text optional expat_2.1.0~beta3-1.debian.tar.gz
c5cae281d86419635f8ac9daa35f6a53 228726 libdevel optional libexpat1-dev_2.1.0~beta3-1_amd64.deb
acab14c4164040a875a0fb6241d4f1a6 141224 libs optional libexpat1_2.1.0~beta3-1_amd64.deb
dd8873906b6c9c707763146e75b46db9 64002 debian-installer extra libexpat1-udeb_2.1.0~beta3-1_amd64.udeb
bb7efb5076f347988e47e91ba4270754 25528 text optional expat_2.1.0~beta3-1_amd64.deb
Package-Type: udeb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iEYEARECAAYFAk9o+RYACgkQStlRaw+TLJwhLgCggrLHnCPeqaL8pHPtxy7C4Sis
TTIAoLGLCGaZY8fAiRehATuSbRIPc1XU
=8V/k
-----END PGP SIGNATURE-----
Marked as found in versions expat/2.0.1-7.
Request was from Arne Wichmann <aw@anhrefn.saar.de>
to control@bugs.debian.org.
(Sun, 03 Jun 2012 19:15:07 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>:
Bug#663579; Package libexpat1.
(Mon, 16 Jul 2012 15:57:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Arne Wichmann <aw@anhrefn.saar.de>:
Extra info received and forwarded to list. Copy sent to Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>.
(Mon, 16 Jul 2012 15:57:06 GMT) (full text, mbox, link).
Message #22 received at 663579@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
readfilemap.c is not compiled on *nix [1].
[1] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-1147
cu
AW
--
[...] If you don't want to be restricted, don't agree to it. If you are
coerced, comply as much as you must to protect yourself, just don't support
it. Noone can free you but yourself. (crag, on Debian Planet)
Arne Wichmann (aw@linux.de)
[signature.asc (application/pgp-signature, inline)]
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 02 Jun 2013 08:19:44 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:20:02 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon