Hi Michael Thanks for the report. I will look at this. I hardly think that expat is included in any important functions at least. But I'll check.
Best regards, // Ola On Sat, Dec 12, 2009 at 10:57:56PM -0500, Michael Gilbert wrote: > package: vnc4 > severity: serious > tags: security > > Hi, > > The following CVE (Common Vulnerabilities & Exposures) ids were > published for expat. I have determined that this package embeds a > vulnerable copy of xmlparse.c and xmltok_impl.c. However, since this is > a mass bug filing (due to so many packages embedding expat), I have > not had time to determine whether the vulnerable code is actually > present in any of the binary packages derived from this source package. > Please determine whether this is the case. If the binary packages are > not affected, please feel free to close the bug with a message > containing the details of what you did to check. > > CVE-2009-3560[0]: > | The big2_toUtf8 function in lib/xmltok.c in libexpat in Expat 2.0.1, > | as used in the XML-Twig module for Perl, allows context-dependent > | attackers to cause a denial of service (application crash) via an XML > | document with malformed UTF-8 sequences that trigger a buffer > | over-read, related to the doProlog function in lib/xmlparse.c, a > | different vulnerability than CVE-2009-2625 and CVE-2009-3720. > > CVE-2009-3720[1]: > | The updatePosition function in lib/xmltok_impl.c in libexpat in Expat > | 2.0.1, as used in Python, PyXML, w3c-libwww, and other software, > | allows context-dependent attackers to cause a denial of service > | (application crash) via an XML document with crafted UTF-8 sequences > | that trigger a buffer over-read, a different vulnerability than > | CVE-2009-2625. > > These issues also affect old versions of expat, so this package in etch > and lenny is very likely affected. This is a low-severity security > issue, so DSAs will not be issued to correct these problems. However, > you can optionally submit a proposed-update to the release team for > inclusion in the next stable point releases. If you plan to do this, > please open new bugs and include the security tag so we are aware that > you are working on that. > > For further information see [0],[1],[2],[3]. In particular, [2] and [3] > are links to the patches for CVE-2009-3560 and CVE-2009-3720 > respectively. Note that the ideal solution would be to make use of the > system expat so only one package will need to be updated for future > security issues. Preferably in your update to unstable, alter your > package to make use of the system expat. > > If you fix the vulnerability please also make sure to include the > CVE id in your changelog entry. > > [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3560 > http://security-tracker.debian.org/tracker/CVE-2009-3560 > [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3720 > http://security-tracker.debian.org/tracker/CVE-2009-3720 > [2] > http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmlparse.c?r1=1.164&r2=1.165 > [3] > http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmltok_impl.c?r1=1.13&r2=1.15&view=patch > > > -- --------------------- Ola Lundqvist --------------------------- / o...@debian.org Annebergsslingan 37 \ | o...@inguza.com 654 65 KARLSTAD | | http://inguza.com/ +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / --------------------------------------------------------------- -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
