Package: expat / 2.2.0-2+deb9u3

Metadata

Package Version Patches format
expat 2.2.0-2+deb9u3 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
CVE 2016 9063.patch | (download)

lib/xmlparse.c | 15 9 + 6 - 0 !
1 file changed, 9 insertions(+), 6 deletions(-)

 [patch] detect integer overflow (cve-2016-9063)

Needs XML_CONTEXT_BYTES to be _undefined_ to trigger,
default is defined and set to 1024.

Previously patched downstream, e.g.
https://sources.debian.net/src/expat/2.2.0-2/debian/patches/CVE-2016-9063.patch/
https://bug1274777.bmoattachments.org/attachment.cgi?id=8755538

This version avoids undefined behavior from _signed_ integer overflow.

Signed-off-by: Pascal Cuoq <cuoq@trust-in-soft.com>

CVE 2017 9233.patch | (download)

lib/xmlparse.c | 8 8 + 0 - 0 !
1 file changed, 8 insertions(+)

 [patch] xmlparse.c: fix external entity infinite loop bug
 (CVE-2017-9233)


Fix_extraction_of_namespace_prefix_from_XML_name.patch | (download)

lib/xmlparse.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch] xmlparse.c: fix extraction of namespace prefix from xml name
 (#186)


xmlparse.c Deny internal entities closing the doctyp.patch | (download)

lib/xmlparse.c | 20 13 + 7 - 0 !
1 file changed, 13 insertions(+), 7 deletions(-)

 xmlparse.c: deny internal entities closing the doctype