Описание
In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early; a consecutive call to XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber) then resulted in a heap-based buffer over-read.
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| expat | fixed | 2.2.7-2 | package | |
| libxmltok | removed | package | ||
| libxmltok | ignored | bookworm | package | |
| firefox | fixed | 70.0-1 | package | |
| firefox-esr | fixed | 68.2.0esr-1 | package | |
| chromium | not-affected | package | ||
| thunderbird | fixed | 1:68.2.1-1 | package |
Примечания
https://github.com/libexpat/libexpat/commit/c20b758c332d9a13afbbb276d30db1d183a85d43
https://github.com/libexpat/libexpat/issues/317
https://github.com/libexpat/libexpat/pull/318
https://www.mozilla.org/en-US/security/advisories/mfsa2019-34/#CVE-2019-15903
https://www.mozilla.org/en-US/security/advisories/mfsa2019-33/#CVE-2019-15903
https://www.mozilla.org/en-US/security/advisories/mfsa2019-35/#CVE-2019-15903
src:hromium uses the system expat library.
EPSS
Связанные уязвимости
In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early; a consecutive call to XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber) then resulted in a heap-based buffer over-read.
In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early; a consecutive call to XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber) then resulted in a heap-based buffer over-read.
In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early; a consecutive call to XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber) then resulted in a heap-based buffer over-read.
EPSS