Package: expat / 2.2.0-2+deb9u1

Metadata

Package Version Patches format
expat 2.2.0-2+deb9u1 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
CVE 2016 9063.patch | (download)

lib/xmlparse.c | 15 9 + 6 - 0 !
1 file changed, 9 insertions(+), 6 deletions(-)

 [patch] detect integer overflow (cve-2016-9063)

Needs XML_CONTEXT_BYTES to be _undefined_ to trigger,
default is defined and set to 1024.

Previously patched downstream, e.g.
https://sources.debian.net/src/expat/2.2.0-2/debian/patches/CVE-2016-9063.patch/
https://bug1274777.bmoattachments.org/attachment.cgi?id=8755538

This version avoids undefined behavior from _signed_ integer overflow.

Signed-off-by: Pascal Cuoq <cuoq@trust-in-soft.com>

CVE 2017 9233.patch | (download)

lib/xmlparse.c | 8 8 + 0 - 0 !
1 file changed, 8 insertions(+)

 [patch] xmlparse.c: fix external entity infinite loop bug
 (CVE-2017-9233)