Out-of-bounds Read Affecting expat package, versions <2.2.0-2+deb9u3
Snyk CVSS
Attack Complexity
Low
Availability
High
Threat Intelligence
EPSS
0.51% (76th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-DEBIAN9-EXPAT-460773
- published 4 Sep 2019
- disclosed 4 Sep 2019
How to fix?
Upgrade Debian:9
expat
to version 2.2.0-2+deb9u3 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream expat
package and not the expat
package as distributed by Debian
.
See How to fix?
for Debian:9
relevant fixed versions and status.
In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early; a consecutive call to XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber) then resulted in a heap-based buffer over-read.
References
- ADVISORY
- ADVISORY
- BUGTRAQ
- BUGTRAQ
- BUGTRAQ
- BUGTRAQ
- BUGTRAQ
- BUGTRAQ
- BUGTRAQ
- Bugtraq Mailing List
- CONFIRM
- CONFIRM
- CONFIRM
- CONFIRM
- CONFIRM
- CONFIRM
- CONFIRM
- CONFIRM
- CONFIRM
- DEBIAN
- DEBIAN
- DEBIAN
- FEDORA
- FEDORA
- FEDORA
- FULLDISC
- FULLDISC
- FULLDISC
- FULLDISC
- GENTOO
- GitHub Commit
- GitHub Issue
- GitHub Issue
- GitHub PR
- MISC
- MISC
- MISC
- MISC
- MLIST
- MLIST
- N/A
- REDHAT
- REDHAT
- REDHAT
- SUSE
- SUSE
- SUSE
- SUSE
- SUSE
- SUSE
- SUSE
- SUSE
- SUSE
- SUSE
- SUSE
- SUSE
- UBUNTU
- UBUNTU
- UBUNTU
- Ubuntu CVE Tracker
- Ubuntu Security Advisory
- Ubuntu Security Advisory
- cve@mitre.org
- cve@mitre.org
- cve@mitre.org