Opened 15 years ago
Closed 4 years ago
#116 closed defect (outdated)
Apply patch against crash in UTF-8 parser in Expat (CVE-2009-2625)
| Reported by: | rouault | Owned by: | |
|---|---|---|---|
| Priority: | major | Component: | Package |
| Version: | Keywords: | expat | |
| Cc: |
Description
A security hole has been discovered in Expat 2.0.1 that make it crash on invalid UTF8 sequences. The fix is in upstream Expat(http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmltok_impl.c?r1=1.15&r2=1.13) and has been backported to Linux distros : https://bugs.gentoo.org/show_bug.cgi?id=280615, http://svn.debian.org/wsvn/debian-xml-sgml/packages/expat/trunk/debian/patches/551936_CVE_2009_2625.dpatch
Change History (3)
comment:1 by , 15 years ago
comment:2 by , 15 years ago
I'll usually trust Linux distro and security researchers for places to patch. Actually, When looking at http://svn.debian.org/wsvn/debian-xml-sgml/packages/expat/trunk/debian/patches/, I see there's also an extra patch for another expat CVE that should be applied. So the 2 are :
comment:3 by , 4 years ago
| Resolution: | → outdated |
|---|---|
| Status: | new → closed |
Note:
See TracTickets
for help on using tickets.
Is this the only location where this problem may arise? I see a couple of places similar to this in the affected file.