CVE-2012-0876 in Ubuntu

CVE-2012-0876

Priority

Description

The XML parser (xmlparse.c) in expat before 2.1.0 computes hash values
without restricting the ability to trigger hash collisions predictably,
which allows context-dependent attackers to cause a denial of service (CPU
consumption) via an XML file with many identifiers with the same value.

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0876
http://blog.gmane.org/gmane.text.xml.expat.bugs/month=20120301
http://www.openwall.com/lists/oss-security/2012/03/09/1
https://rhn.redhat.com/errata/RHSA-2012-0731.html
https://ubuntu.com/security/notices/USN-1527-1
https://ubuntu.com/security/notices/USN-1527-2
https://ubuntu.com/security/notices/USN-1613-1
https://ubuntu.com/security/notices/USN-1613-2

Bugs

http://sourceforge.net/tracker/?func=detail&atid=110127&aid=3496608&group_id=10127
https://bugzilla.redhat.com/show_bug.cgi?id=786617
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=663579
http://bugs.python.org/issue14234

Notes

jdstrand	RedHat issued https://rhn.redhat.com/errata/RHBA-2012-1250.html for python as a result of the added XML_SetHashSalt symbol
ebarretto	tla uses system expat as of 1.3.5+dfsg-15
rodrigo-zaiden	the vulnerable code was added in expat version 1.95.7, with commit https://github.com/libexpat/libexpat/commit/8650b04b libxmltok seems to use code based on expat version 1.2 and does not add this commit, so, it's not affected.

Package

Source: apache2 (LP Ubuntu Debian)

Upstream:	needs-triage
Ubuntu 18.04 LTS:	not-affected (code-not-compiled)
Ubuntu 20.04 LTS:	not-affected (code-not-compiled)
Ubuntu 21.10:	not-affected (code-not-compiled)
Ubuntu 16.04 ESM:	not-affected (code-not-compiled)
Ubuntu 22.04 LTS:	not-affected (code-not-compiled)
Ubuntu 22.10:	not-affected (code-not-compiled)
Ubuntu 14.04 ESM:	not-affected (code-not-compiled)

Patches:

Package

Source: apr-util (LP Ubuntu Debian)

Upstream:	needs-triage
Ubuntu 18.04 LTS:	not-affected (code-not-compiled)
Ubuntu 20.04 LTS:	not-affected (code-not-compiled)
Ubuntu 21.10:	not-affected (code-not-compiled)
Ubuntu 16.04 ESM:	not-affected (code-not-compiled)
Ubuntu 22.04 LTS:	not-affected (code-not-compiled)
Ubuntu 22.10:	not-affected (code-not-compiled)
Ubuntu 14.04 ESM:	not-affected (code-not-compiled)

Patches:

Package

Source: audacity (LP Ubuntu Debian)

Upstream:	needs-triage
Ubuntu 18.04 LTS:	not-affected (uses system expat)
Ubuntu 20.04 LTS:	not-affected (uses system expat)
Ubuntu 21.10:	not-affected (uses system expat)
Ubuntu 22.04 LTS:	not-affected (uses system expat)
Ubuntu 22.10:	not-affected (uses system expat)
Ubuntu 14.04 ESM:	DNE (trusty was not-affected [uses system expat])

Patches:

Package

Source: ayttm (LP Ubuntu Debian)

Upstream:	needs-triage
Ubuntu 18.04 LTS:	DNE
Ubuntu 20.04 LTS:	DNE
Ubuntu 21.10:	DNE
Ubuntu 22.04 LTS:	DNE
Ubuntu 22.10:	DNE
Ubuntu 14.04 ESM:	DNE (trusty was needed)

Patches:

Package

Source: cableswig (LP Ubuntu Debian)

Upstream:	needs-triage
Ubuntu 18.04 LTS:	DNE
Ubuntu 20.04 LTS:	DNE
Ubuntu 21.10:	DNE
Ubuntu 22.04 LTS:	DNE
Ubuntu 22.10:	DNE
Ubuntu 14.04 ESM:	DNE (trusty was needed)

Patches:

Package

Source: cadaver (LP Ubuntu Debian)

Upstream:	needs-triage
Ubuntu 18.04 LTS:	needed
Ubuntu 20.04 LTS:	needed
Ubuntu 21.10:	needed
Ubuntu 22.04 LTS:	needed
Ubuntu 22.10:	needed
Ubuntu 14.04 ESM:	DNE (trusty was needed)

Patches:

Package

Source: celementtree (LP Ubuntu Debian)

Upstream:	needs-triage
Ubuntu 18.04 LTS:	DNE
Ubuntu 20.04 LTS:	DNE
Ubuntu 21.10:	DNE
Ubuntu 22.04 LTS:	DNE
Ubuntu 22.10:	DNE
Ubuntu 14.04 ESM:	DNE

Patches:

Package

Source: cmake (LP Ubuntu Debian)

Upstream:	needs-triage
Ubuntu 18.04 LTS:	not-affected (code-not-compiled)
Ubuntu 20.04 LTS:	not-affected (code-not-compiled)
Ubuntu 21.10:	not-affected (code-not-compiled)
Ubuntu 16.04 ESM:	not-affected (code-not-compiled)
Ubuntu 22.04 LTS:	not-affected (code-not-compiled)
Ubuntu 22.10:	not-affected (code-not-compiled)
Ubuntu 14.04 ESM:	DNE (trusty was ignored [code-not-compiled])

Patches:

Package

Source: coin3 (LP Ubuntu Debian)

Upstream:	needs-triage
Ubuntu 18.04 LTS:	needed
Ubuntu 20.04 LTS:	not-affected
Ubuntu 21.10:	not-affected
Ubuntu 22.04 LTS:	not-affected
Ubuntu 22.10:	not-affected
Ubuntu 14.04 ESM:	needed

Patches:

Package

Source: expat (LP Ubuntu Debian)

Upstream:	needs-triage
Ubuntu 18.04 LTS:	not-affected (2.1.0-1)
Ubuntu 20.04 LTS:	not-affected (2.1.0-1)
Ubuntu 21.10:	not-affected (2.1.0-1)
Ubuntu 16.04 ESM:	not-affected (2.1.0-1)
Ubuntu 22.04 LTS:	not-affected (2.1.0-1)
Ubuntu 22.10:	not-affected (2.1.0-1)
Ubuntu 14.04 ESM:	not-affected (2.1.0-1)

Patches:

Upstream:	http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/expat.h?r1=1.80&r2=1.81
Upstream:	http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmlparse.c?r1=1.167&r2=1.168
Upstream:	http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmlparse.c?r1=1.168&r2=1.169
Upstream:	http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmlparse.c?r1=1.169&r2=1.170

Package

Source: gdcm (LP Ubuntu Debian)

Upstream:	needs-triage
Ubuntu 18.04 LTS:	not-affected (uses system expat)
Ubuntu 20.04 LTS:	not-affected (uses system expat)
Ubuntu 21.10:	not-affected (uses system expat)
Ubuntu 22.04 LTS:	not-affected (uses system expat)
Ubuntu 22.10:	not-affected (uses system expat)
Ubuntu 14.04 ESM:	not-affected (uses system expat)

Patches:

Package

Source: ghostscript (LP Ubuntu Debian)

Upstream:	needs-triage
Ubuntu 18.04 LTS:	not-affected (code-not-compiled)
Ubuntu 20.04 LTS:	not-affected (code-not-compiled)
Ubuntu 21.10:	not-affected (code-not-compiled)
Ubuntu 16.04 ESM:	not-affected (code-not-compiled)
Ubuntu 22.04 LTS:	not-affected (code-not-compiled)
Ubuntu 22.10:	not-affected (code-not-compiled)
Ubuntu 14.04 ESM:	DNE (trusty was ignored [code-not-compiled])

Patches:

Package

Source: grmonitor (LP Ubuntu Debian)

Upstream:	needs-triage
Ubuntu 18.04 LTS:	DNE
Ubuntu 20.04 LTS:	DNE
Ubuntu 21.10:	DNE
Ubuntu 22.04 LTS:	DNE
Ubuntu 22.10:	DNE
Ubuntu 14.04 ESM:	DNE

Patches:

Package

Source: insighttoolkit (LP Ubuntu Debian)

Upstream:	needs-triage
Ubuntu 18.04 LTS:	DNE
Ubuntu 20.04 LTS:	DNE
Ubuntu 21.10:	DNE
Ubuntu 22.04 LTS:	DNE
Ubuntu 22.10:	DNE
Ubuntu 14.04 ESM:	DNE (trusty was needed)

Patches:

Package

Source: kompozer (LP Ubuntu Debian)

Upstream:	needs-triage
Ubuntu 18.04 LTS:	DNE
Ubuntu 20.04 LTS:	DNE
Ubuntu 21.10:	DNE
Ubuntu 22.04 LTS:	DNE
Ubuntu 22.10:	DNE
Ubuntu 14.04 ESM:	DNE

Patches:

Package

Source: libparagui1.1 (LP Ubuntu Debian)

Upstream:	needs-triage
Ubuntu 18.04 LTS:	DNE
Ubuntu 20.04 LTS:	DNE
Ubuntu 21.10:	DNE
Ubuntu 22.04 LTS:	DNE
Ubuntu 22.10:	DNE
Ubuntu 14.04 ESM:	DNE

Patches:

Package

Source: libxmltok (LP Ubuntu Debian)

Upstream:	needs-triage
Ubuntu 18.04 LTS:	not-affected (code not present)
Ubuntu 20.04 LTS:	not-affected (code not present)
Ubuntu 21.10:	not-affected (code not present)
Ubuntu 22.04 LTS:	not-affected (code not present)

Patches:

Package

Source: matanza (LP Ubuntu Debian)

Upstream:	needs-triage
Ubuntu 18.04 LTS:	needed
Ubuntu 20.04 LTS:	needed
Ubuntu 21.10:	needed
Ubuntu 22.04 LTS:	needed
Ubuntu 22.10:	needed
Ubuntu 14.04 ESM:	DNE (trusty was needed)

Patches:

Package

Source: paraview (LP Ubuntu Debian)

Upstream:	needs-triage
Ubuntu 18.04 LTS:	not-affected (uses system expat)
Ubuntu 20.04 LTS:	not-affected (uses system expat)
Ubuntu 21.10:	not-affected (uses system expat)
Ubuntu 22.04 LTS:	not-affected (uses system expat)
Ubuntu 22.10:	not-affected (uses system expat)
Ubuntu 14.04 ESM:	DNE (trusty was not-affected [uses system expat])

Patches:

Package

Source: poco (LP Ubuntu Debian)

Upstream:	needs-triage
Ubuntu 18.04 LTS:	not-affected (uses system expat)
Ubuntu 20.04 LTS:	not-affected (uses system expat)
Ubuntu 21.10:	not-affected (uses system expat)
Ubuntu 22.04 LTS:	not-affected (uses system expat)
Ubuntu 22.10:	not-affected (uses system expat)
Ubuntu 14.04 ESM:	not-affected (uses system expat)

Patches:

Package

Source: python-xml (LP Ubuntu Debian)

Upstream:	needs-triage
Ubuntu 18.04 LTS:	DNE
Ubuntu 20.04 LTS:	DNE
Ubuntu 21.10:	DNE
Ubuntu 22.04 LTS:	DNE
Ubuntu 22.10:	DNE
Ubuntu 14.04 ESM:	DNE

Patches:

Package

Source: python2.4 (LP Ubuntu Debian)

Upstream:	needs-triage
Ubuntu 18.04 LTS:	DNE
Ubuntu 20.04 LTS:	DNE
Ubuntu 21.10:	DNE
Ubuntu 22.04 LTS:	DNE
Ubuntu 22.10:	DNE
Ubuntu 14.04 ESM:	DNE

Patches:

Package

Source: python2.5 (LP Ubuntu Debian)

Upstream:	needs-triage
Ubuntu 18.04 LTS:	DNE
Ubuntu 20.04 LTS:	DNE
Ubuntu 21.10:	DNE
Ubuntu 22.04 LTS:	DNE
Ubuntu 22.10:	DNE
Ubuntu 14.04 ESM:	DNE

Patches:

Package

Source: python2.6 (LP Ubuntu Debian)

Upstream:	needs-triage
Ubuntu 18.04 LTS:	DNE
Ubuntu 20.04 LTS:	DNE
Ubuntu 21.10:	DNE
Ubuntu 22.04 LTS:	DNE
Ubuntu 22.10:	DNE
Ubuntu 14.04 ESM:	DNE

Patches:

Package

Source: simgear (LP Ubuntu Debian)

Upstream:	needs-triage
Ubuntu 18.04 LTS:	not-affected (uses system expat)
Ubuntu 20.04 LTS:	not-affected (uses system expat)
Ubuntu 21.10:	not-affected (uses system expat)
Ubuntu 22.04 LTS:	not-affected (uses system expat)
Ubuntu 22.10:	not-affected (uses system expat)
Ubuntu 14.04 ESM:	DNE (trusty was not-affected [uses system expat])

Patches:

Package

Source: sitecopy (LP Ubuntu Debian)

Upstream:	not-affected (uses system expat)
Ubuntu 18.04 LTS:	not-affected (uses system expat)
Ubuntu 20.04 LTS:	not-affected (uses system expat)
Ubuntu 21.10:	not-affected (uses system expat)
Ubuntu 22.04 LTS:	not-affected (uses system expat)
Ubuntu 22.10:	not-affected (uses system expat)
Ubuntu 14.04 ESM:	DNE (trusty was needed)

Patches:

Package

Source: smart (LP Ubuntu Debian)

Upstream:	needs-triage
Ubuntu 18.04 LTS:	not-affected (code-not-compiled)
Ubuntu 20.04 LTS:	DNE
Ubuntu 21.10:	DNE
Ubuntu 22.04 LTS:	DNE
Ubuntu 22.10:	DNE
Ubuntu 14.04 ESM:	DNE (trusty was ignored [code-not-compiled])

Patches:

Package

Source: swish-e (LP Ubuntu Debian)

Upstream:	needs-triage
Ubuntu 18.04 LTS:	needed
Ubuntu 20.04 LTS:	needed
Ubuntu 21.10:	needed
Ubuntu 22.04 LTS:	needed
Ubuntu 22.10:	needed
Ubuntu 14.04 ESM:	DNE (trusty was needed)

Patches:

Package

Source: tdom (LP Ubuntu Debian)

Upstream:	needs-triage
Ubuntu 18.04 LTS:	not-affected
Ubuntu 20.04 LTS:	not-affected
Ubuntu 21.10:	not-affected
Ubuntu 22.04 LTS:	not-affected
Ubuntu 22.10:	not-affected
Ubuntu 14.04 ESM:	DNE (trusty was needed)

Patches:

Package

Source: texlive-bin (LP Ubuntu Debian)

Upstream:	needs-triage
Ubuntu 18.04 LTS:	not-affected (code-not-compiled)
Ubuntu 20.04 LTS:	not-affected (code-not-compiled)
Ubuntu 21.10:	not-affected (code-not-compiled)
Ubuntu 16.04 ESM:	not-affected (code-not-compiled)
Ubuntu 22.04 LTS:	not-affected (code-not-compiled)
Ubuntu 22.10:	not-affected (code-not-compiled)
Ubuntu 14.04 ESM:	DNE (trusty was ignored [code-not-compiled])

Patches:

Package

Source: tla (LP Ubuntu Debian)

Upstream:	needs-triage
Ubuntu 18.04 LTS:	not-affected (1.3.5+dfsg-15)
Ubuntu 20.04 LTS:	not-affected (1.3.5+dfsg-15)
Ubuntu 21.10:	not-affected (1.3.5+dfsg-15)
Ubuntu 22.04 LTS:	not-affected (1.3.5+dfsg-15)
Ubuntu 22.10:	not-affected (1.3.5+dfsg-15)
Ubuntu 14.04 ESM:	DNE (trusty was not-affected [1.3.5+dfsg-15])

Patches:

Package

Source: vnc4 (LP Ubuntu Debian)

Upstream:	ignored
Ubuntu 18.04 LTS:	ignored
Ubuntu 20.04 LTS:	DNE
Ubuntu 21.10:	DNE
Ubuntu 22.04 LTS:	DNE
Ubuntu 22.10:	DNE
Ubuntu 14.04 ESM:	ignored

Patches:

Package

Source: vtk (LP Ubuntu Debian)

Upstream:	needs-triage
Ubuntu 18.04 LTS:	DNE
Ubuntu 20.04 LTS:	DNE
Ubuntu 21.10:	DNE
Ubuntu 22.04 LTS:	DNE
Ubuntu 22.10:	DNE
Ubuntu 14.04 ESM:	DNE (trusty was not-affected [uses system expat])

Patches:

Package

Source: w3c-libwww (LP Ubuntu Debian)

Upstream:	needs-triage
Ubuntu 18.04 LTS:	DNE
Ubuntu 20.04 LTS:	DNE
Ubuntu 21.10:	DNE
Ubuntu 22.04 LTS:	DNE
Ubuntu 22.10:	DNE
Ubuntu 14.04 ESM:	DNE

Patches:

Package

Source: wbxml2 (LP Ubuntu Debian)

Upstream:	not-affected (uses system expat)
Ubuntu 18.04 LTS:	not-affected (uses system expat)
Ubuntu 20.04 LTS:	not-affected (uses system expat)
Ubuntu 21.10:	not-affected (uses system expat)
Ubuntu 22.04 LTS:	not-affected (uses system expat)
Ubuntu 22.10:	not-affected (uses system expat)
Ubuntu 14.04 ESM:	DNE (trusty was needed)

Patches:

Package

Source: wxwidgets2.6 (LP Ubuntu Debian)

Upstream:	needs-triage
Ubuntu 18.04 LTS:	DNE
Ubuntu 20.04 LTS:	DNE
Ubuntu 21.10:	DNE
Ubuntu 22.04 LTS:	DNE
Ubuntu 22.10:	DNE
Ubuntu 14.04 ESM:	DNE

Patches:

Package

Source: wxwidgets2.8 (LP Ubuntu Debian)

Upstream:	needs-triage
Ubuntu 18.04 LTS:	DNE
Ubuntu 20.04 LTS:	DNE
Ubuntu 21.10:	DNE
Ubuntu 22.04 LTS:	DNE
Ubuntu 22.10:	DNE
Ubuntu 14.04 ESM:	DNE (trusty was not-affected [uses system expat])

Patches:

Package

Source: wxwindows2.4 (LP Ubuntu Debian)

Upstream:	needs-triage
Ubuntu 18.04 LTS:	DNE
Ubuntu 20.04 LTS:	DNE
Ubuntu 21.10:	DNE
Ubuntu 22.04 LTS:	DNE
Ubuntu 22.10:	DNE
Ubuntu 14.04 ESM:	DNE

Patches:

Package

Source: xmlrpc-c (LP Ubuntu Debian)

Upstream:	needs-triage
Ubuntu 18.04 LTS:	released (1.16.33-3.1ubuntu6)
Ubuntu 20.04 LTS:	released (1.16.33-3.1ubuntu6)
Ubuntu 21.10:	released (1.16.33-3.1ubuntu6)
Ubuntu 22.04 LTS:	released (1.16.33-3.1ubuntu6)
Ubuntu 22.10:	released (1.16.33-3.1ubuntu6)
Ubuntu 14.04 ESM:	released (1.16.33-3.1ubuntu6)

Patches:

Upstream:

http://xmlrpc-c.svn.sourceforge.net/viewvc/xmlrpc-c?view=revision&revision=2391

Package

Source: xotcl (LP Ubuntu Debian)

Upstream:	not-affected (1.6.5-1.2)
Ubuntu 18.04 LTS:	not-affected (1.6.5-1.2)
Ubuntu 20.04 LTS:	not-affected (1.6.5-1.2)
Ubuntu 21.10:	not-affected (1.6.5-1.2)
Ubuntu 22.04 LTS:	not-affected (1.6.5-1.2)
Ubuntu 22.10:	not-affected (1.6.5-1.2)
Ubuntu 14.04 ESM:	DNE (trusty was needed)

Patches:

Package

Source: xulrunner (LP Ubuntu Debian)

Upstream:	needs-triage
Ubuntu 18.04 LTS:	DNE
Ubuntu 20.04 LTS:	DNE
Ubuntu 21.10:	DNE
Ubuntu 22.04 LTS:	DNE
Ubuntu 22.10:	DNE
Ubuntu 14.04 ESM:	DNE

Patches:

More Information

Updated: 2022-06-10 12:27:40 UTC (commit 3842cb24bd3a60b6ebbb423eeceeb5b054a4e970)