CVE-2009-3560

Priority
Description
The big2_toUtf8 function in lib/xmltok.c in libexpat in Expat 2.0.1, as
used in the XML-Twig module for Perl, allows context-dependent attackers to
cause a denial of service (application crash) via an XML document with
malformed UTF-8 sequences that trigger a buffer over-read, related to the
doProlog function in lib/xmlparse.c, a different vulnerability than
CVE-2009-2625 and CVE-2009-3720.
Notes
mdeslaurwatch out for possible regression (see DSA-1953-2)
jdstrandregression for SUSE: https://bugzilla.novell.com/show_bug.cgi?id=566434
regression fix commit: http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmlparse.c?view=log#rev1.165
2.0.1-4+lenny3 has the fix
jdstrand provided updates in supported releases for expat, xmlrpc-c,
cmake, python-xml, python2.4, and python2.5
ebarrettothis is not an issue for vnc4, for more information see:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=560949
sbeattieas of xotcl 1.6.6-1, xotcl uses system expat
as of tla 1.3.5+dfsg-15, tla uses system expat
as of sitecopy 1:0.16.0-1, sitecopy uses system expat
by wbxml2 0.10.7-1, wbxml2 uses system expat
as of insighttoolkit 3.16.0-1, insighttoolkit uses system expat
according to dbug 560926, cadaver only uses embedded expat
when embedded neon is used, and embedded neon is not used in Ubuntu
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):not-affected (code-not-compiled)
Ubuntu 14.04 ESM (Trusty Tahr):not-affected (code-not-compiled)
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (code-not-compiled)
Ubuntu 18.04 LTS (Bionic Beaver):not-affected (code-not-compiled)
Ubuntu 19.10 (Eoan Ermine):not-affected (code-not-compiled)
Ubuntu 20.04 (Focal Fossa):not-affected (code-not-compiled)
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):not-affected (code-not-compiled)
Ubuntu 14.04 ESM (Trusty Tahr):not-affected (code-not-compiled)
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (code-not-compiled)
Ubuntu 18.04 LTS (Bionic Beaver):not-affected (code-not-compiled)
Ubuntu 19.10 (Eoan Ermine):not-affected (code-not-compiled)
Ubuntu 20.04 (Focal Fossa):not-affected (code-not-compiled)
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE (precise was not-affected [uses system expat])
Ubuntu 14.04 ESM (Trusty Tahr):DNE (trusty was not-affected [uses system expat])
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (uses system expat)
Ubuntu 18.04 LTS (Bionic Beaver):not-affected (uses system expat)
Ubuntu 19.10 (Eoan Ermine):not-affected (uses system expat)
Ubuntu 20.04 (Focal Fossa):not-affected (uses system expat)
Package
Source: ayttm (LP Ubuntu Debian)
Upstream:released (0.6.1-2)
Ubuntu 12.04 ESM (Precise Pangolin):DNE (precise was not-affected [0.6.1-2])
Ubuntu 14.04 ESM (Trusty Tahr):DNE (trusty was not-affected [0.6.1-2])
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (0.6.1-2)
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Ubuntu 19.10 (Eoan Ermine):DNE
Ubuntu 20.04 (Focal Fossa):DNE
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE (precise was needs-triage)
Ubuntu 14.04 ESM (Trusty Tahr):DNE (trusty was needs-triage)
Ubuntu 16.04 LTS (Xenial Xerus):needs-triage
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Ubuntu 19.10 (Eoan Ermine):DNE
Ubuntu 20.04 (Focal Fossa):DNE
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE (precise was needs-triage)
Ubuntu 14.04 ESM (Trusty Tahr):DNE (trusty was needs-triage)
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (uses system expat)
Ubuntu 18.04 LTS (Bionic Beaver):not-affected (uses system expat)
Ubuntu 19.10 (Eoan Ermine):not-affected (uses system expat)
Ubuntu 20.04 (Focal Fossa):not-affected (uses system expat)
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Ubuntu 19.10 (Eoan Ermine):DNE
Ubuntu 20.04 (Focal Fossa):DNE
Package
Source: cmake (LP Ubuntu Debian)
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE (precise was ignored [code-not-compiled])
Ubuntu 14.04 ESM (Trusty Tahr):DNE (trusty was ignored [code-not-compiled])
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (code-not-compiled)
Ubuntu 18.04 LTS (Bionic Beaver):not-affected (code-not-compiled)
Ubuntu 19.10 (Eoan Ermine):not-affected (code-not-compiled)
Ubuntu 20.04 (Focal Fossa):not-affected (code-not-compiled)
Package
Source: coin3 (LP Ubuntu Debian)
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE (precise was needs-triage)
Ubuntu 14.04 ESM (Trusty Tahr):needed
Ubuntu 16.04 LTS (Xenial Xerus):needed
Ubuntu 18.04 LTS (Bionic Beaver):needed
Ubuntu 19.10 (Eoan Ermine):needed
Ubuntu 20.04 (Focal Fossa):needed
Package
Source: expat (LP Ubuntu Debian)
Upstream:needed
Ubuntu 12.04 ESM (Precise Pangolin):released (2.0.1-7ubuntu1)
Ubuntu 14.04 ESM (Trusty Tahr):released (2.0.1-7ubuntu1)
Ubuntu 16.04 LTS (Xenial Xerus):released (2.0.1-7ubuntu1)
Ubuntu 18.04 LTS (Bionic Beaver):released (2.0.1-7ubuntu1)
Ubuntu 19.10 (Eoan Ermine):released (2.0.1-7ubuntu1)
Ubuntu 20.04 (Focal Fossa):released (2.0.1-7ubuntu1)
Patches:
Vendor:http://www.debian.org/security/2009/dsa-1953
Package
Source: gdcm (LP Ubuntu Debian)
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE (precise was not-affected [uses system expat])
Ubuntu 14.04 ESM (Trusty Tahr):not-affected (uses system expat)
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (uses system expat)
Ubuntu 18.04 LTS (Bionic Beaver):not-affected (uses system expat)
Ubuntu 19.10 (Eoan Ermine):not-affected (uses system expat)
Ubuntu 20.04 (Focal Fossa):not-affected (uses system expat)
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE (precise was ignored [code-not-compiled])
Ubuntu 14.04 ESM (Trusty Tahr):DNE (trusty was ignored [code-not-compiled])
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (code-not-compiled)
Ubuntu 18.04 LTS (Bionic Beaver):not-affected (code-not-compiled)
Ubuntu 19.10 (Eoan Ermine):not-affected (code-not-compiled)
Ubuntu 20.04 (Focal Fossa):not-affected (code-not-compiled)
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Ubuntu 19.10 (Eoan Ermine):DNE
Ubuntu 20.04 (Focal Fossa):DNE
Package
Upstream:released (3.16.0-1)
Ubuntu 12.04 ESM (Precise Pangolin):DNE (precise was needs-triage)
Ubuntu 14.04 ESM (Trusty Tahr):DNE (trusty was needs-triage)
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (uses system expat)
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Ubuntu 19.10 (Eoan Ermine):DNE
Ubuntu 20.04 (Focal Fossa):DNE
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE (precise was needs-triage)
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Ubuntu 19.10 (Eoan Ermine):DNE
Ubuntu 20.04 (Focal Fossa):DNE
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE (precise was needs-triage)
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Ubuntu 19.10 (Eoan Ermine):DNE
Ubuntu 20.04 (Focal Fossa):DNE
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE (precise was needs-triage)
Ubuntu 14.04 ESM (Trusty Tahr):DNE (trusty was needs-triage)
Ubuntu 16.04 LTS (Xenial Xerus):needs-triage
Ubuntu 18.04 LTS (Bionic Beaver):needs-triage
Ubuntu 19.10 (Eoan Ermine):needs-triage
Ubuntu 20.04 (Focal Fossa):needs-triage
Package
Upstream:released (3.6.2-1)
Ubuntu 12.04 ESM (Precise Pangolin):DNE (precise was not-affected [3.8.1-1ubuntu1])
Ubuntu 14.04 ESM (Trusty Tahr):DNE (trusty was not-affected [3.8.1-1ubuntu1])
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (3.8.1-1ubuntu1)
Ubuntu 18.04 LTS (Bionic Beaver):not-affected (3.8.1-1ubuntu1)
Ubuntu 19.10 (Eoan Ermine):not-affected (3.8.1-1ubuntu1)
Ubuntu 20.04 (Focal Fossa):not-affected (3.8.1-1ubuntu1)
Package
Source: poco (LP Ubuntu Debian)
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE (precise was not-affected [uses system expat])
Ubuntu 14.04 ESM (Trusty Tahr):not-affected (uses system expat)
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (uses system expat)
Ubuntu 18.04 LTS (Bionic Beaver):not-affected (uses system expat)
Ubuntu 19.10 (Eoan Ermine):not-affected (uses system expat)
Ubuntu 20.04 (Focal Fossa):not-affected (uses system expat)
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Ubuntu 19.10 (Eoan Ermine):DNE
Ubuntu 20.04 (Focal Fossa):DNE
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Ubuntu 19.10 (Eoan Ermine):DNE
Ubuntu 20.04 (Focal Fossa):DNE
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Ubuntu 19.10 (Eoan Ermine):DNE
Ubuntu 20.04 (Focal Fossa):DNE
Package
Upstream:released (2.6.4-4)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Ubuntu 19.10 (Eoan Ermine):DNE
Ubuntu 20.04 (Focal Fossa):DNE
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE (precise was needs-triage)
Ubuntu 14.04 ESM (Trusty Tahr):DNE (trusty was not-affected [uses system expat])
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (uses system expat)
Ubuntu 18.04 LTS (Bionic Beaver):not-affected (uses system expat)
Ubuntu 19.10 (Eoan Ermine):not-affected (uses system expat)
Ubuntu 20.04 (Focal Fossa):not-affected (uses system expat)
Package
Upstream:released (1:0.16.0-1)
Ubuntu 12.04 ESM (Precise Pangolin):DNE (precise was needs-triage)
Ubuntu 14.04 ESM (Trusty Tahr):DNE (trusty was needs-triage)
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (uses system expat)
Ubuntu 18.04 LTS (Bionic Beaver):not-affected (uses system expat)
Ubuntu 19.10 (Eoan Ermine):not-affected (uses system expat)
Ubuntu 20.04 (Focal Fossa):not-affected (uses system expat)
Package
Source: smart (LP Ubuntu Debian)
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE (precise was ignored [code-not-compiled])
Ubuntu 14.04 ESM (Trusty Tahr):DNE (trusty was ignored [code-not-compiled])
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (code-not-compiled)
Ubuntu 18.04 LTS (Bionic Beaver):not-affected (code-not-compiled)
Ubuntu 19.10 (Eoan Ermine):not-affected (code-not-compiled)
Ubuntu 20.04 (Focal Fossa):DNE
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE (precise was needs-triage)
Ubuntu 14.04 ESM (Trusty Tahr):DNE (trusty was needs-triage)
Ubuntu 16.04 LTS (Xenial Xerus):needs-triage
Ubuntu 18.04 LTS (Bionic Beaver):needs-triage
Ubuntu 19.10 (Eoan Ermine):needs-triage
Ubuntu 20.04 (Focal Fossa):needs-triage
Package
Source: tdom (LP Ubuntu Debian)
Upstream:not-affected (uses system expat)
Ubuntu 12.04 ESM (Precise Pangolin):DNE (precise was needs-triage)
Ubuntu 14.04 ESM (Trusty Tahr):DNE (trusty was needs-triage)
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (uses system expat)
Ubuntu 18.04 LTS (Bionic Beaver):not-affected (uses system expat)
Ubuntu 19.10 (Eoan Ermine):not-affected (uses system expat)
Ubuntu 20.04 (Focal Fossa):not-affected (uses system expat)
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE (precise was ignored [code-not-compiled])
Ubuntu 14.04 ESM (Trusty Tahr):DNE (trusty was ignored [code-not-compiled])
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (code-not-compiled)
Ubuntu 18.04 LTS (Bionic Beaver):not-affected (code-not-compiled)
Ubuntu 19.10 (Eoan Ermine):not-affected (code-not-compiled)
Ubuntu 20.04 (Focal Fossa):not-affected (code-not-compiled)
Package
Source: tla (LP Ubuntu Debian)
Upstream:released (1.3.5+dfsg-15)
Ubuntu 12.04 ESM (Precise Pangolin):DNE (precise was needs-triage)
Ubuntu 14.04 ESM (Trusty Tahr):DNE (trusty was needs-triage)
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (uses system expat)
Ubuntu 18.04 LTS (Bionic Beaver):not-affected (uses system expat)
Ubuntu 19.10 (Eoan Ermine):not-affected (uses system expat)
Ubuntu 20.04 (Focal Fossa):not-affected (uses system expat)
Package
Source: vnc4 (LP Ubuntu Debian)
Upstream:not-affected
Ubuntu 12.04 ESM (Precise Pangolin):DNE (precise was needs-triage)
Ubuntu 14.04 ESM (Trusty Tahr):not-affected
Ubuntu 16.04 LTS (Xenial Xerus):not-affected
Ubuntu 18.04 LTS (Bionic Beaver):not-affected
Ubuntu 19.10 (Eoan Ermine):not-affected
Ubuntu 20.04 (Focal Fossa):DNE
Package
Source: vtk (LP Ubuntu Debian)
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE (precise was needs-triage)
Ubuntu 14.04 ESM (Trusty Tahr):DNE (trusty was not-affected [uses system expat])
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (uses system expat)
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Ubuntu 19.10 (Eoan Ermine):DNE
Ubuntu 20.04 (Focal Fossa):DNE
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Ubuntu 19.10 (Eoan Ermine):DNE
Ubuntu 20.04 (Focal Fossa):DNE
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE (precise was needs-triage)
Ubuntu 14.04 ESM (Trusty Tahr):DNE (trusty was needs-triage)
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (uses system expat)
Ubuntu 18.04 LTS (Bionic Beaver):not-affected (uses system expat)
Ubuntu 19.10 (Eoan Ermine):not-affected (uses system expat)
Ubuntu 20.04 (Focal Fossa):not-affected (uses system expat)
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE (precise was needs-triage)
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Ubuntu 19.10 (Eoan Ermine):DNE
Ubuntu 20.04 (Focal Fossa):DNE
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE (precise was not-affected [uses system expat])
Ubuntu 14.04 ESM (Trusty Tahr):DNE (trusty was not-affected [uses system expat])
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Ubuntu 19.10 (Eoan Ermine):DNE
Ubuntu 20.04 (Focal Fossa):DNE
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Ubuntu 19.10 (Eoan Ermine):DNE
Ubuntu 20.04 (Focal Fossa):DNE
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE (precise was released [1.06.27-1ubuntu7])
Ubuntu 14.04 ESM (Trusty Tahr):released (1.06.27-1ubuntu7)
Ubuntu 16.04 LTS (Xenial Xerus):released (1.06.27-1ubuntu7)
Ubuntu 18.04 LTS (Bionic Beaver):released (1.06.27-1ubuntu7)
Ubuntu 19.10 (Eoan Ermine):released (1.06.27-1ubuntu7)
Ubuntu 20.04 (Focal Fossa):released (1.06.27-1ubuntu7)
Package
Source: xotcl (LP Ubuntu Debian)
Upstream:released (1.6.6-1)
Ubuntu 12.04 ESM (Precise Pangolin):DNE (precise was needs-triage)
Ubuntu 14.04 ESM (Trusty Tahr):DNE (trusty was needs-triage)
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (uses system expat)
Ubuntu 18.04 LTS (Bionic Beaver):not-affected (uses system expat)
Ubuntu 19.10 (Eoan Ermine):not-affected (uses system expat)
Ubuntu 20.04 (Focal Fossa):not-affected (uses system expat)
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Ubuntu 19.10 (Eoan Ermine):DNE
Ubuntu 20.04 (Focal Fossa):DNE
More Information

Updated: 2020-04-24 03:14:17 UTC (commit d3f8a6ed481830fb100109a132bef581fc4176fe)