expat: CVE-2009-3560

Debian Bug report logs - #560901
expat: CVE-2009-3560

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <michael.s.gilbert@gmail.com>

To: submit@bugs.debian.org

Subject: expat: CVE-2009-3560

Date: Sat, 12 Dec 2009 20:46:00 -0500

package: expat
version: 1.95.8-3.4
Severity: serious
Tags: security

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for xpat.

CVE-2009-3560[0]:
| The big2_toUtf8 function in lib/xmltok.c in libexpat in Expat 2.0.1,
| as used in the XML-Twig module for Perl, allows context-dependent
| attackers to cause a denial of service (application crash) via an XML
| document with malformed UTF-8 sequences that trigger a buffer
| over-read, related to the doProlog function in lib/xmlparse.c, a
| different vulnerability than CVE-2009-2625 and CVE-2009-3720.

I've checked etch and lenny.  They are both affected by this issue.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3560
    http://security-tracker.debian.org/tracker/CVE-2009-3560

Message #10 received at 560901@bugs.debian.org (full text, mbox, reply):

From: Daniel Leidert <daniel.leidert@wgdd.de>

To: team@security.debian.org

Cc: 560901@bugs.debian.org

Subject: Bug#560901, CVE-2009-3560: debdiffs for expat (stable,oldstable)-security

Date: Sun, 13 Dec 2009 12:19:32 +0100

[Message part 1 (text/plain, inline)]

Dear security team,

Please find attached the debdiffs for stable and oldstable to fix
CVE-2009-3560 (Debian #560901).

Note, that CVE-2009-3720 seems to be equal to CVE-2009-2625, which was
fixed in the last upload. So I added this reference to the Debian
changelog too. If you don't like it, you can easily revert this change.

Regards, Daniel

[expat_1.95.8-3.4+etch4.debdiff (text/x-patch, attachment)]

[expat_2.0.1-4+lenny2.debdiff (text/x-patch, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #15 received at 560901-close@bugs.debian.org (full text, mbox, reply):

From: Daniel Leidert (dale) <daniel.leidert@wgdd.de>

To: 560901-close@bugs.debian.org

Subject: Bug#560901: fixed in expat 2.0.1-6

Date: Sun, 13 Dec 2009 11:33:37 +0000

Source: expat
Source-Version: 2.0.1-6

We believe that the bug you reported is fixed in the latest version of
expat, which is due to be installed in the Debian FTP archive:

expat_2.0.1-6.diff.gz
  to main/e/expat/expat_2.0.1-6.diff.gz
expat_2.0.1-6.dsc
  to main/e/expat/expat_2.0.1-6.dsc
expat_2.0.1-6_amd64.deb
  to main/e/expat/expat_2.0.1-6_amd64.deb
libexpat1-dev_2.0.1-6_amd64.deb
  to main/e/expat/libexpat1-dev_2.0.1-6_amd64.deb
libexpat1-udeb_2.0.1-6_amd64.udeb
  to main/e/expat/libexpat1-udeb_2.0.1-6_amd64.udeb
libexpat1_2.0.1-6_amd64.deb
  to main/e/expat/libexpat1_2.0.1-6_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 560901@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Daniel Leidert (dale) <daniel.leidert@wgdd.de> (supplier of updated expat package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 13 Dec 2009 12:06:07 +0100
Source: expat
Binary: lib64expat1-dev lib64expat1 libexpat1-dev libexpat1 libexpat1-udeb expat
Architecture: source amd64
Version: 2.0.1-6
Distribution: unstable
Urgency: medium
Maintainer: Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>
Changed-By: Daniel Leidert (dale) <daniel.leidert@wgdd.de>
Description: 
 expat      - XML parsing C library - example application
 lib64expat1 - XML parsing C library - runtime library (64bit)
 lib64expat1-dev - XML parsing C library - development kit (64bit)
 libexpat1  - XML parsing C library - runtime library
 libexpat1-dev - XML parsing C library - development kit
 libexpat1-udeb - XML parsing C library - runtime library (udeb)
Closes: 560901
Changes: 
 expat (2.0.1-6) unstable; urgency=medium
 .
   * debian/patches/560901_CVE_2009_3560.dpatch: Added.
     - lib/xmlparse.c (doProlog): Fix DoS vulnerability CVE-2009-3560 (closes:
       #560901).
   * debian/patches/00list: Adjusted.
Checksums-Sha1: 
 6e7e832adf7bbbc80771583a947ad6e994176a20 1418 expat_2.0.1-6.dsc
 dc4fa6bedbc10572d3f13d082cfb713cd2ca604a 134075 expat_2.0.1-6.diff.gz
 d496e6f98a4c076180a100510e2b4e9f859db211 221202 libexpat1-dev_2.0.1-6_amd64.deb
 76857cf5eb42fa33af6a44032de09ee09d6555a7 136964 libexpat1_2.0.1-6_amd64.deb
 426d348dabbbd3639c8c97a4f6098fd35129f9cb 63070 libexpat1-udeb_2.0.1-6_amd64.udeb
 1f276302eb6bc0c427a115a4c287e2daf4dad00f 23988 expat_2.0.1-6_amd64.deb
Checksums-Sha256: 
 af6374bc1957b81c37e74686eb3e3e45b59b4fbcb70d2e3951b40df805da4149 1418 expat_2.0.1-6.dsc
 79de8139412de83cb6f14f4ff8e54c8956140b03b499b812072da0269d464a66 134075 expat_2.0.1-6.diff.gz
 37557abe77fdb7be04343b464eb80b16dcc4f0ca00e91dea6c386880c36ce179 221202 libexpat1-dev_2.0.1-6_amd64.deb
 2bdf49b5f3625fe5812c92b33c238c29cdbb1bbe1c9503d6d374d74ae4b586f9 136964 libexpat1_2.0.1-6_amd64.deb
 7d402bd8558483827c28686ba969a16a6f26bf00b7832802568276a915ca6bc6 63070 libexpat1-udeb_2.0.1-6_amd64.udeb
 81817ef38551c107c7ba1a4ac823a770180061bfa2e184e8a77f970ccad7f65e 23988 expat_2.0.1-6_amd64.deb
Files: 
 a23550b4fdc3660219880acab7981893 1418 text optional expat_2.0.1-6.dsc
 ae75685589ea4179c07f7ad0a955bb42 134075 text optional expat_2.0.1-6.diff.gz
 b742a7fc1a29e266c7ed179ba0f68364 221202 libdevel optional libexpat1-dev_2.0.1-6_amd64.deb
 a17c55e88c27f7c07d4cd2b7bf3945e4 136964 libs optional libexpat1_2.0.1-6_amd64.deb
 b8eb4c0217d238d5b2050c9006c0d919 63070 debian-installer extra libexpat1-udeb_2.0.1-6_amd64.udeb
 851f97fb13786fd4806cebc3c60a9573 23988 text optional expat_2.0.1-6_amd64.deb
Package-Type: udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAksky64ACgkQm0bx+wiPa4wtBwCfWGa7xmYxVpYFg3+GCSPrcmiE
CksAoLGIxVHeEtbys+5dzIvQMnvd6a+N
=Sc/E
-----END PGP SIGNATURE-----

Message #20 received at 560901-close@bugs.debian.org (full text, mbox, reply):

From: Daniel Leidert (dale) <daniel.leidert@wgdd.de>

To: 560901-close@bugs.debian.org

Subject: Bug#560901: fixed in expat 1.95.8-3.4+etch4

Date: Wed, 16 Dec 2009 23:45:54 +0000

Source: expat
Source-Version: 1.95.8-3.4+etch4

We believe that the bug you reported is fixed in the latest version of
expat, which is due to be installed in the Debian FTP archive:

expat_1.95.8-3.4+etch4.diff.gz
  to main/e/expat/expat_1.95.8-3.4+etch4.diff.gz
expat_1.95.8-3.4+etch4.dsc
  to main/e/expat/expat_1.95.8-3.4+etch4.dsc
expat_1.95.8-3.4+etch4_i386.deb
  to main/e/expat/expat_1.95.8-3.4+etch4_i386.deb
libexpat1-dev_1.95.8-3.4+etch4_i386.deb
  to main/e/expat/libexpat1-dev_1.95.8-3.4+etch4_i386.deb
libexpat1-udeb_1.95.8-3.4+etch4_i386.udeb
  to main/e/expat/libexpat1-udeb_1.95.8-3.4+etch4_i386.udeb
libexpat1_1.95.8-3.4+etch4_i386.deb
  to main/e/expat/libexpat1_1.95.8-3.4+etch4_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 560901@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Daniel Leidert (dale) <daniel.leidert@wgdd.de> (supplier of updated expat package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun, 13 Dec 2009 12:08:13 +0100
Source: expat
Binary: libexpat1 libexpat1-dev expat libexpat1-udeb
Architecture: source i386
Version: 1.95.8-3.4+etch4
Distribution: oldstable-security
Urgency: medium
Maintainer: Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>
Changed-By: Daniel Leidert (dale) <daniel.leidert@wgdd.de>
Description: 
 expat      - XML parsing C library - example application
 libexpat1  - XML parsing C library - runtime library
 libexpat1-dev - XML parsing C library - development kit
 libexpat1-udeb - XML parsing C library - runtime library (udeb)
Closes: 560901
Changes: 
 expat (1.95.8-3.4+etch4) oldstable-security; urgency=medium
 .
   * NMU to old stable to fix security issues.
   * CVE-2009-3560: Fix DoS vulnerability (closes: #560901).
Files: 
 50e1e2ab47fe419e89ef671991ddb3f0 703 text optional expat_1.95.8-3.4+etch4.dsc
 e6d99f30014fccc0ffb9db1554ba1472 413321 text optional expat_1.95.8-3.4+etch4.diff.gz
 4e06399f0079e7608d25430ded374d97 129822 libdevel optional libexpat1-dev_1.95.8-3.4+etch4_i386.deb
 28f26b307f7cb5b133c7d7b0b7f336dc 63130 libs optional libexpat1_1.95.8-3.4+etch4_i386.deb
 64b2c0654425bd1234f5394efb1e2d69 54984 debian-installer extra libexpat1-udeb_1.95.8-3.4+etch4_i386.udeb
 67a8e21213321cf54be9dc58380ce45f 21090 text optional expat_1.95.8-3.4+etch4_i386.deb
Package-Type: udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iD8DBQFLJWXEbxelr8HyTqQRAsU9AKDeN8Jemz1s7v3CqkWwuVXXtHa/cgCdEzUx
jAXUVT1+/QA1nDEElUT6b+c=
=dLgY
-----END PGP SIGNATURE-----

Message #25 received at 560901-close@bugs.debian.org (full text, mbox, reply):

From: Daniel Leidert (dale) <daniel.leidert@wgdd.de>

To: 560901-close@bugs.debian.org

Subject: Bug#560901: fixed in expat 2.0.1-4+lenny2

Date: Wed, 16 Dec 2009 23:50:11 +0000

Source: expat
Source-Version: 2.0.1-4+lenny2

We believe that the bug you reported is fixed in the latest version of
expat, which is due to be installed in the Debian FTP archive:

expat_2.0.1-4+lenny2.diff.gz
  to main/e/expat/expat_2.0.1-4+lenny2.diff.gz
expat_2.0.1-4+lenny2.dsc
  to main/e/expat/expat_2.0.1-4+lenny2.dsc
expat_2.0.1-4+lenny2_i386.deb
  to main/e/expat/expat_2.0.1-4+lenny2_i386.deb
lib64expat1-dev_2.0.1-4+lenny2_i386.deb
  to main/e/expat/lib64expat1-dev_2.0.1-4+lenny2_i386.deb
lib64expat1_2.0.1-4+lenny2_i386.deb
  to main/e/expat/lib64expat1_2.0.1-4+lenny2_i386.deb
libexpat1-dev_2.0.1-4+lenny2_i386.deb
  to main/e/expat/libexpat1-dev_2.0.1-4+lenny2_i386.deb
libexpat1-udeb_2.0.1-4+lenny2_i386.udeb
  to main/e/expat/libexpat1-udeb_2.0.1-4+lenny2_i386.udeb
libexpat1_2.0.1-4+lenny2_i386.deb
  to main/e/expat/libexpat1_2.0.1-4+lenny2_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 560901@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Daniel Leidert (dale) <daniel.leidert@wgdd.de> (supplier of updated expat package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 13 Dec 2009 12:01:05 +0100
Source: expat
Binary: lib64expat1-dev lib64expat1 libexpat1-dev libexpat1 libexpat1-udeb expat
Architecture: source i386
Version: 2.0.1-4+lenny2
Distribution: stable-security
Urgency: medium
Maintainer: Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>
Changed-By: Daniel Leidert (dale) <daniel.leidert@wgdd.de>
Description: 
 expat      - XML parsing C library - example application
 lib64expat1 - XML parsing C library - runtime library (64bit)
 lib64expat1-dev - XML parsing C library - development kit (64bit)
 libexpat1  - XML parsing C library - runtime library
 libexpat1-dev - XML parsing C library - development kit
 libexpat1-udeb - XML parsing C library - runtime library (udeb)
Closes: 560901
Changes: 
 expat (2.0.1-4+lenny2) stable-security; urgency=medium
 .
   * Upload to stable to fix security issues.
   * debian/patches/560901_CVE_2009_3560.dpatch: Added.
     - lib/xmlparse.c (doProlog): Fix DoS vulnerability CVE-2009-3560 (closes:
       #560901).
   * debian/patches/00list: Adjusted.
Checksums-Sha1: 
 3db045f46d3f112072c548f98ef0e89e0d68228c 1438 expat_2.0.1-4+lenny2.dsc
 9ea9530b00abdeec86f4d1ee75d0f21adcf08f75 133845 expat_2.0.1-4+lenny2.diff.gz
 7935bbdb01015523ef035f85739554710cee2b98 168162 lib64expat1-dev_2.0.1-4+lenny2_i386.deb
 9eba01ca55fe438a2d8731111400d48efda24710 136330 lib64expat1_2.0.1-4+lenny2_i386.deb
 90c9c8b887cdfb5e92dad16dfc229762a755cde7 210542 libexpat1-dev_2.0.1-4+lenny2_i386.deb
 899a4136998dff3ff9279868a98de61266c6b3db 131876 libexpat1_2.0.1-4+lenny2_i386.deb
 6721f4e278312a6bf2ccd0708a3aaf8b14edeefb 60816 libexpat1-udeb_2.0.1-4+lenny2_i386.udeb
 d363f1687d0bba72885c681ad2ab90d1f64bd5ff 23288 expat_2.0.1-4+lenny2_i386.deb
Checksums-Sha256: 
 858382c592ab7fc7834fe9fc562a6c874df3cfb48072f31a6d0f00b6db89464e 1438 expat_2.0.1-4+lenny2.dsc
 48547d1ff7cadad059c15dcd5aea5d8776a4329a2e3681d667e1baa43c725d4e 133845 expat_2.0.1-4+lenny2.diff.gz
 f670f95316c9aa90f652a53b053263c42ef96da562cbd3b811a9a6d3f558cf7b 168162 lib64expat1-dev_2.0.1-4+lenny2_i386.deb
 935d495b2ae6d6b62e2a4c85b436646ce0c72afa45d59e56cd272fe44da863f2 136330 lib64expat1_2.0.1-4+lenny2_i386.deb
 3bae1d27e8635f421c3c441d23f92e2b1b8b3cb922ba84a352f512c5488cdf6d 210542 libexpat1-dev_2.0.1-4+lenny2_i386.deb
 49a958e259be96ca80eecf4645113889e54f2a510ebbb77f7b1035455e2d89a5 131876 libexpat1_2.0.1-4+lenny2_i386.deb
 718856730e417820861a924bc5251fbf674b0dc3260a549d77b78890be0159dd 60816 libexpat1-udeb_2.0.1-4+lenny2_i386.udeb
 09a5839679469cb1e37472b2a13fe90c7091aba5373bdc82ad3495e3b9fc43e8 23288 expat_2.0.1-4+lenny2_i386.deb
Files: 
 556771752cdeb9b854aae0ecd060e1c5 1438 text optional expat_2.0.1-4+lenny2.dsc
 424badd53b1147b260c2dfd3b7c5f153 133845 text optional expat_2.0.1-4+lenny2.diff.gz
 01b2166f38485842aab660f0a397487a 168162 libdevel optional lib64expat1-dev_2.0.1-4+lenny2_i386.deb
 11942d4c9c36b25882db662b9edf1981 136330 libs optional lib64expat1_2.0.1-4+lenny2_i386.deb
 54ea496b626a1875b6d7cf7519008ec3 210542 libdevel optional libexpat1-dev_2.0.1-4+lenny2_i386.deb
 8c8a91854bf5ee9eec30fda926519bef 131876 libs optional libexpat1_2.0.1-4+lenny2_i386.deb
 009c3b55eeeaa87476ff658c5c654791 60816 debian-installer extra libexpat1-udeb_2.0.1-4+lenny2_i386.udeb
 529f392c091e9e09f74e21e77da69f0c 23288 text optional expat_2.0.1-4+lenny2_i386.deb
Package-Type: udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iD8DBQFLJWXFbxelr8HyTqQRArGMAJ0ZPmDkT3u25Qea3fFz6beADACkcQCgmsXW
BsCrmpUFxPua70aBzclgjek=
=yN+K
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.