Out-of-Bounds Affecting expat package, versions <2.1.1-2
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-DEBIAN9-EXPAT-358072
- published 30 Jun 2016
- disclosed 30 Jun 2016
Introduced: 30 Jun 2016
CVE-2016-4472 Open this link in a new tabHow to fix?
Upgrade Debian:9 expat to version 2.1.1-2 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Debian.
See How to fix? for Debian:9 relevant fixed versions and status.
The overflow protection in Expat is removed by compilers with certain optimization settings, which allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via crafted XML data. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-1283 and CVE-2015-2716.
References
- https://security-tracker.debian.org/tracker/CVE-2016-4472
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4472
- https://security.gentoo.org/glsa/201701-21
- https://sourceforge.net/p/expat/code_git/ci/f0bec73b018caa07d3e75ec8dd967f3785d71bde
- https://www.tenable.com/security/tns-2016-20
- https://bugzilla.redhat.com/show_bug.cgi?id=1344251
- http://www.securityfocus.com/bid/91528
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-4472
- http://www.ubuntu.com/usn/USN-3013-1
- https://kc.mcafee.com/corporate/index?page=content&id=SB10365