Opened 11 years ago

Last modified 11 years ago

#116 new defect

Apply patch against crash in UTF-8 parser in Expat (CVE-2009-2625)

Reported by: rouault Owned by: osgeo4w-dev@…
Priority: major Component: Package
Version: Keywords: expat
Cc:

Description

A security hole has been discovered in Expat 2.0.1 that make it crash on invalid UTF8 sequences. The fix is in upstream Expat(http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmltok_impl.c?r1=1.15&r2=1.13) and has been backported to Linux distros : https://bugs.gentoo.org/show_bug.cgi?id=280615, http://svn.debian.org/wsvn/debian-xml-sgml/packages/expat/trunk/debian/patches/551936_CVE_2009_2625.dpatch

Change History (2)

comment:1 Changed 11 years ago by tamas

Is this the only location where this problem may arise? I see a couple of places similar to this in the affected file.

comment:2 Changed 11 years ago by rouault

I'll usually trust Linux distro and security researchers for places to patch. Actually, When looking at http://svn.debian.org/wsvn/debian-xml-sgml/packages/expat/trunk/debian/patches/, I see there's also an extra patch for another expat CVE that should be applied. So the 2 are :

Note: See TracTickets for help on using tickets.