Debian Bug report logs -
#793484
expat: CVE-2015-1283: Multiple integer overflows in the XML_GetBuffer function
Reported by: Raphael Hertzog <hertzog@debian.org>
Date: Fri, 24 Jul 2015 14:03:02 UTC
Severity: grave
Tags: patch, security
Found in versions expat/2.0.1-7, expat/2.1.0-1
Fixed in versions expat/2.1.0-1+deb7u2, expat/2.0.1-7+squeeze2, expat/2.1.0-6+deb8u1, expat/2.1.0-7
Done: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>:
Bug#793484; Package expat.
(Fri, 24 Jul 2015 14:03:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Raphael Hertzog <hertzog@debian.org>:
New Bug report received and forwarded. Copy sent to Laszlo Boszormenyi (GCS) <gcs@debian.org>.
(Fri, 24 Jul 2015 14:03:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: expat
Severity: grave
Tags: security patch
Hi,
the following vulnerability was published for expat.
CVE-2015-1283[0]:
| Multiple integer overflows in the XML_GetBuffer function in Expat
| through 2.1.0, as used in Google Chrome before 44.0.2403.89 and other
| products, allow remote attackers to cause a denial of service
| (heap-based buffer overflow) or possibly have unspecified other impact
| via crafted XML data, a related issue to CVE-2015-2716.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2015-1283
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1283
Please adjust the affected versions in the BTS as needed.
It looks like that Mozilla wrote a patch here:
https://hg.mozilla.org/releases/mozilla-esr31/rev/2f3e78643f5c
And chromium reused that patch too.
Cheers,
--
Raphaël Hertzog ◈ Debian Developer
Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/
Information forwarded
to debian-bugs-dist@lists.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>:
Bug#793484; Package expat.
(Fri, 24 Jul 2015 14:27:18 GMT) (full text, mbox, link).
Acknowledgement sent
to Raphael Hertzog <hertzog@debian.org>:
Extra info received and forwarded to list. Copy sent to Laszlo Boszormenyi (GCS) <gcs@debian.org>.
(Fri, 24 Jul 2015 14:27:18 GMT) (full text, mbox, link).
Message #10 received at 793484@bugs.debian.org (full text, mbox, reply):
Hello Laszlo,
the Debian LTS team would like to fix the security issues which are
currently open in the Squeeze version of expat:
https://security-tracker.debian.org/tracker/CVE-2015-1283
Would you like to take care of this yourself? We are still understaffed so
any help is always highly appreciated.
If yes, please follow the workflow we have defined here:
http://wiki.debian.org/LTS/Development
If that workflow is a burden to you, feel free to just prepare an
updated source package and send it to debian-lts@lists.debian.org
(via a debdiff, or with an URL pointing to the the source package,
or even with a pointer to your packaging repository), and the members
of the LTS team will take care of the rest. Indicate clearly whether you
have tested the updated package or not.
If you don't want to take care of this update, it's not a problem, we
will do our best with your package. Just let us know whether you would
like to review and/or test the updated package before it gets released.
Thank you very much.
Raphaël Hertzog,
on behalf of the Debian LTS team.
PS: A member of the LTS team might start working on this update at
any point in time. You can verify whether someone is registered
on this update in this file:
https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup
--
Raphaël Hertzog ◈ Debian Developer
Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/
Reply sent
to Laszlo Boszormenyi (GCS) <gcs@debian.org>:
You have taken responsibility.
(Fri, 24 Jul 2015 15:39:08 GMT) (full text, mbox, link).
Notification sent
to Raphael Hertzog <hertzog@debian.org>:
Bug acknowledged by developer.
(Fri, 24 Jul 2015 15:39:08 GMT) (full text, mbox, link).
Message #15 received at 793484-close@bugs.debian.org (full text, mbox, reply):
Source: expat
Source-Version: 2.1.0-7
We believe that the bug you reported is fixed in the latest version of
expat, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 793484@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <gcs@debian.org> (supplier of updated expat package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 24 Jul 2015 14:48:45 +0000
Source: expat
Binary: lib64expat1-dev lib64expat1 libexpat1-dev libexpat1 libexpat1-udeb expat
Architecture: source amd64
Version: 2.1.0-7
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Changed-By: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Description:
expat - XML parsing C library - example application
lib64expat1 - XML parsing C library - runtime library (64bit)
lib64expat1-dev - XML parsing C library - development kit (64bit)
libexpat1 - XML parsing C library - runtime library
libexpat1-dev - XML parsing C library - development kit
libexpat1-udeb - XML parsing C library - runtime library (udeb)
Closes: 793484
Changes:
expat (2.1.0-7) unstable; urgency=high
.
* Fix CVE-2015-1283, multiple integer overflows in the XML_GetBuffer
function (closes: #793484).
* Update Standards-Version to 3.9.6 .
Checksums-Sha1:
f14201ad9f9ae57bf82bdfcdc183c9ece093505d 2250 expat_2.1.0-7.dsc
35729c51d4677e39828e83d388ea165239d94463 15232 expat_2.1.0-7.debian.tar.xz
b602d78312bf3e517adbdb2bff228ae7a36411e4 23886 expat_2.1.0-7_amd64.deb
5aa8b17bb41f6e46e30fac47683530f886a53497 126000 libexpat1-dev_2.1.0-7_amd64.deb
02988e296a7dbc857a93ae391dbd982f8d7d2b66 52204 libexpat1-udeb_2.1.0-7_amd64.udeb
9431efc092d953e51303d4805b949b32df9486c2 79982 libexpat1_2.1.0-7_amd64.deb
Checksums-Sha256:
ea61494d57d7c5f3b0dcd7cf08692cdc7535ed1755ded2fc9e34f5d26483f948 2250 expat_2.1.0-7.dsc
e45e1f1404c49e5d5942c74881c64c32aad5a7b37761aca094d456f26fec4256 15232 expat_2.1.0-7.debian.tar.xz
f9e466d71e66a03094d6b9c373fcc4e5229ead3fe559775d48a5147ea74b6664 23886 expat_2.1.0-7_amd64.deb
ed819a73c524e07f9ed2e1f1bdf7f45f8df9cbfa966f4c5bf52d61223c9424a7 126000 libexpat1-dev_2.1.0-7_amd64.deb
f6d3d47e46c0eb40f8295bff8b86d0637c79e7f0e916455fcd94c0163da2a08f 52204 libexpat1-udeb_2.1.0-7_amd64.udeb
5d5803bcf3bcf73e9b348ab069023ca41240184a56c803c587e65e316c1d3f73 79982 libexpat1_2.1.0-7_amd64.deb
Files:
64b99f522404d81475b529b6ba2ced53 2250 text optional expat_2.1.0-7.dsc
8402b9763a40714e138ada6e6a054be5 15232 text optional expat_2.1.0-7.debian.tar.xz
817834c0bfbef940d3914b8472c95240 23886 text optional expat_2.1.0-7_amd64.deb
fba0b19486dc4a5f3fe9b8f6e729d4e0 126000 libdevel optional libexpat1-dev_2.1.0-7_amd64.deb
e19b918db2ddde3e0ccec1851fa366cf 52204 debian-installer extra libexpat1-udeb_2.1.0-7_amd64.udeb
456faf4a54a2b854ce26c4dd2a155bbc 79982 libs optional libexpat1_2.1.0-7_amd64.deb
Package-Type: udeb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJVslcZAAoJENzjEOeGTMi/pFIP/37J5IEEEJ/yeFs0W0Wdqw+q
7RDUBhjQu6hQsjbGMOwoy/aTV+CAtlE+vFfVpUKF+0SmT380NqkX0xAV7y5r2DgL
5bnk2FVw944AQdieVvHstebt8GQ55IIstV2mLBK9oDj3v1ABukq476QUvdBl+aC0
jkJhIzOosU5x6WQ3qyCJevnq0+OmNECh4S5QZR7tiCLgoTFxarROo/7eLWFBl6ty
nvSuBTA71M9msOIku03mh+D2wEmixF7xkNO2/DClaBCKjoLj7f8Jb+zkn05bazB5
m+ZyznkWvetyV4kNrDGL/BeF6yvlfU5urzkg4POHONKbzsTtAs4ANbuhMh/wRj5Z
SXGSbaQWuj59Pf9XePMBMUm6dGiTxfrp1uy9YRUiG5KayrkIjaZ6FeNesC1VFqZm
PrF/YsIBGFJ8+I2xEX0KHzdgZptmiDbTaFzebbQz3bI8Z3v2MIQeUQ8xsV0dNXzE
pktTa1ysM6KUYjY/TGaiR/xqTaUq8WwhYhwSAx7/228d6uXKPwt2FNP9veIW8CgE
+T9kKi6AOpVAwHWBMDb3daAsCNKpbpYNoBEJdQPNj8awWLmpTTnbz2lXcunrR0Di
amVcT49SA5/euvBb3AfsNHSgNyeWyobSmbbCvLV0BwEaubc3RpWpU51X9XvkrFiZ
IkqPrDIHdgNKFAZfKrJB
=LGv5
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>:
Bug#793484; Package expat.
(Fri, 24 Jul 2015 17:27:05 GMT) (full text, mbox, link).
Acknowledgement sent
to László Böszörményi (GCS) <gcs@debian.org>:
Extra info received and forwarded to list. Copy sent to Laszlo Boszormenyi (GCS) <gcs@debian.org>.
(Fri, 24 Jul 2015 17:27:05 GMT) (full text, mbox, link).
Message #20 received at 793484@bugs.debian.org (full text, mbox, reply):
Control: found -1 2.0.1-7+squeeze1
Squeeze, Wheezy and Jessie versions are all affected by this security issue. :(
Marked as found in versions expat/2.0.1-7+squeeze1.
Request was from László Böszörményi (GCS) <gcs@debian.org>
to 793484-submit@bugs.debian.org.
(Fri, 24 Jul 2015 17:27:05 GMT) (full text, mbox, link).
Marked as found in versions expat/2.1.0-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 25 Jul 2015 05:39:03 GMT) (full text, mbox, link).
Marked as found in versions expat/2.0.1-7.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 25 Jul 2015 05:42:03 GMT) (full text, mbox, link).
No longer marked as found in versions expat/2.0.1-7+squeeze1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 25 Jul 2015 05:42:06 GMT) (full text, mbox, link).
Marked as fixed in versions expat/2.1.0-6+deb8u1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 27 Jul 2015 20:48:06 GMT) (full text, mbox, link).
Marked as fixed in versions expat/2.1.0-1+deb7u2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 27 Jul 2015 20:48:07 GMT) (full text, mbox, link).
Marked as fixed in versions expat/2.0.1-7+squeeze2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 27 Jul 2015 20:48:10 GMT) (full text, mbox, link).
Reply sent
to Laszlo Boszormenyi (GCS) <gcs@debian.org>:
You have taken responsibility.
(Tue, 04 Aug 2015 21:21:07 GMT) (full text, mbox, link).
Notification sent
to Raphael Hertzog <hertzog@debian.org>:
Bug acknowledged by developer.
(Tue, 04 Aug 2015 21:21:07 GMT) (full text, mbox, link).
Message #39 received at 793484-close@bugs.debian.org (full text, mbox, reply):
Source: expat
Source-Version: 2.1.0-1+deb7u2
We believe that the bug you reported is fixed in the latest version of
expat, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 793484@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <gcs@debian.org> (supplier of updated expat package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 24 Jul 2015 15:57:09 +0000
Source: expat
Binary: lib64expat1-dev lib64expat1 libexpat1-dev libexpat1 libexpat1-udeb expat
Architecture: source amd64
Version: 2.1.0-1+deb7u2
Distribution: wheezy-security
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Changed-By: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Description:
expat - XML parsing C library - example application
lib64expat1 - XML parsing C library - runtime library (64bit)
lib64expat1-dev - XML parsing C library - development kit (64bit)
libexpat1 - XML parsing C library - runtime library
libexpat1-dev - XML parsing C library - development kit
libexpat1-udeb - XML parsing C library - runtime library (udeb)
Closes: 793484
Changes:
expat (2.1.0-1+deb7u2) wheezy-security; urgency=high
.
* Fix CVE-2015-1283, multiple integer overflows in the XML_GetBuffer
function (closes: #793484).
Checksums-Sha1:
82c59697c82e9b6eeca634c7f8e6903174dbae9c 2177 expat_2.1.0-1+deb7u2.dsc
9fb2ace86afecdf8437ac15d52d8f549b54b5531 12424 expat_2.1.0-1+deb7u2.debian.tar.gz
11f3741d610a750c1ab1b30b79417d8e19fbf912 222480 libexpat1-dev_2.1.0-1+deb7u2_amd64.deb
cd46ae8e4b187bdb0436fd6231cc6509ca16d451 138896 libexpat1_2.1.0-1+deb7u2_amd64.deb
f444c73f72c17c6a97705b133f315fe2f7cf0810 52698 libexpat1-udeb_2.1.0-1+deb7u2_amd64.udeb
6a50b28b261537c3cd3acd4b120164c3bb869844 25964 expat_2.1.0-1+deb7u2_amd64.deb
Checksums-Sha256:
1735d42012c5121cf610b86cb622258290524305756217a03b91a399d528d1ce 2177 expat_2.1.0-1+deb7u2.dsc
57ec7e3545669725ec0ffd13b39db7a10c5e5257fbfa1f31ea3b459482ee394c 12424 expat_2.1.0-1+deb7u2.debian.tar.gz
0e98c2262b84f3a18acc7571f8e5b69bee235d07413f51cc6c6b108ea07b6bbb 222480 libexpat1-dev_2.1.0-1+deb7u2_amd64.deb
1bc45d06071851b5ffb9cd34f917a94f3024bfd7a81d067da2efc4d12abfa2df 138896 libexpat1_2.1.0-1+deb7u2_amd64.deb
d0399a73036b176caa96524688476c3113ef0e648678eafbef0abb95255ecba4 52698 libexpat1-udeb_2.1.0-1+deb7u2_amd64.udeb
cee98e61443a85b70d697699f4f1fac4300a8ddb4f9f6515bac6a32859336459 25964 expat_2.1.0-1+deb7u2_amd64.deb
Files:
294f70a71b39290e6b636ee121938393 2177 text optional expat_2.1.0-1+deb7u2.dsc
3a5861fe791ffb0ed49962f82cc09311 12424 text optional expat_2.1.0-1+deb7u2.debian.tar.gz
b4e5c6d683a6e7b892690c33e434ea2b 222480 libdevel optional libexpat1-dev_2.1.0-1+deb7u2_amd64.deb
38e63077970391d7b153c5bc2421ceba 138896 libs optional libexpat1_2.1.0-1+deb7u2_amd64.deb
7861f02b394984c0a365b012dec6ec72 52698 debian-installer extra libexpat1-udeb_2.1.0-1+deb7u2_amd64.udeb
bfe488882e97ce3758187e11ec66d89c 25964 text optional expat_2.1.0-1+deb7u2_amd64.deb
Package-Type: udeb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJVs6yfAAoJENzjEOeGTMi/EToP/3WqLL5il553AUXD6HFUwrof
F/ADD0V+ScFTt7QMe26ebgwnODPvdxdBRhFQfA4WnEvrSqxPutYz6oKUd0o7JKIK
9k3Bd13D6qjf0S7x3tHpGwpY/THEykA/BqW3QgmVnQhOCHz+sqDIFXK+7JwCzr+/
oLkZmBmg38nXT0SO9mlx1Se6s/vhgmsOQEVZ6L/+MrFcTvH9qsxbJ8Fv5EoVkLE5
kDGK2OTujaHc1fpwVA9WmMSNs7vPua+yte9y9uhNGQGyDLaxVAquezkKWNTG6h+K
covlJkYitBHkTlfTjULuR0Id/vqB/fwx0uLKMbTDtdmq59HBFeI8MFMKZhf3NEBL
bYsVDHUS6yYUtOq97W9bcPXijAqv9J4iDEsdM7ijYdXt4MLCFl++kIve3+LIpGCF
VGXtPjIvSwDiBPq7QbavaiKLZg6bI6SPEcm5Kux8iQegAvTE9gUEM6qByFukPhyx
0s2Pq1l80xrCp+ly1OGeVAnFXX5+n15c+omBZCpAOfmaZyPaG36s+ZWZQOIMtQ7b
XDgraYoFmOnRjQ00cD73wPemxjqaw8AciYK/bMtQ9M/2LI9gZcf62zDrIVwMhnUF
Ih+uT6yfkxlUeJFYt9gUtAQgdNXmKVRYRnoBWnVKyg12j9H436si6rNyTewj6Efe
EJXPPA7mLdb4BFHTQV8H
=Agnt
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 06 Sep 2015 07:40:26 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:45:19 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon