CVE-2009-3560

NameCVE-2009-3560
DescriptionThe big2_toUtf8 function in lib/xmltok.c in libexpat in Expat 2.0.1, as used in the XML-Twig module for Perl, allows context-dependent attackers to cause a denial of service (application crash) via an XML document with malformed UTF-8 sequences that trigger a buffer over-read, related to the doProlog function in lib/xmlparse.c, a different vulnerability than CVE-2009-2625 and CVE-2009-3720.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDSA-1953-1, DSA-1953-2, DSA-1977-1
NVD severitymedium
Debian Bugs560901, 560912, 560913, 560914, 560915, 560916, 560917, 560919, 560920, 560921, 560922, 560924, 560925, 560926, 560927, 560928, 560929, 560930, 560931, 560932, 560933, 560935, 560936, 560937, 560940, 560942, 560944, 560945, 560946, 560951, 560953, 601053

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
audacity (PTS)stretch2.1.2-2fixed
buster2.2.2-1fixed
bookworm, sid, bullseye2.4.2~dfsg0-5fixed
cadaver (PTS)stretch0.23.3-2vulnerable
bookworm, sid, buster, bullseye0.23.3-2.1vulnerable
cmake (PTS)stretch3.7.2-1fixed
buster3.13.4-1fixed
bullseye3.18.4-2fixed
bookworm, sid3.21.3-4fixed
coin3 (PTS)stretch3.1.4~abc9f50+dfsg1-2vulnerable
buster4.0.0~CMake~6f54f1602475+ds1-2vulnerable
bullseye4.0.0+ds-1vulnerable
bookworm, sid4.0.0+ds-2vulnerable
expat (PTS)stretch (security), stretch2.2.0-2+deb9u3fixed
buster, buster (security)2.2.6-2+deb10u1fixed
bullseye2.2.10-2fixed
bookworm, sid2.4.1-2fixed
gdcm (PTS)stretch2.6.6-3fixed
buster2.8.8-9fixed
bookworm, bullseye3.0.8-2fixed
sid3.0.8-4fixed
ghostscript (PTS)stretch9.26a~dfsg-0+deb9u6fixed
stretch (security)9.26a~dfsg-0+deb9u7fixed
buster, buster (security)9.27~dfsg-2+deb10u4fixed
bullseye (security), bullseye9.53.3~dfsg-7+deb11u1fixed
bookworm, sid9.54.0~dfsg-5fixed
matanza (PTS)stretch0.13+ds1-5vulnerable
buster0.13+ds1-6vulnerable
bookworm, sid, bullseye0.13+ds2-1vulnerable
mcabber (PTS)stretch1.0.4-1.1fixed
buster1.1.0-1.1fixed
bookworm, sid, bullseye1.1.2-1fixed
paraview (PTS)stretch5.1.2+dfsg1-2fixed
buster5.4.1+dfsg4-3.1fixed
bookworm, sid, bullseye5.9.0-2fixed
poco (PTS)stretch (security), stretch1.7.6+dfsg1-5+deb9u1fixed
buster1.9.0-5fixed
bullseye1.10.0-6fixed
bookworm, sid1.11.0-2fixed
simgear (PTS)stretch1:2016.4.4+dfsg-2fixed
buster1:2018.3.2+dfsg-5fixed
bookworm, sid, bullseye1:2020.3.6+dfsg-1fixed
smart (PTS)buster, stretch1.4-2fixed
tdom (PTS)stretch0.8.3-1fixed
buster0.9.1-1fixed
bookworm, sid, bullseye0.9.2-1fixed
texlive-bin (PTS)stretch (security), stretch2016.20160513.41080.dfsg-2+deb9u1fixed
buster2018.20181218.49446-1fixed
bullseye2020.20200327.54578-7fixed
bookworm, sid2021.20210626.59705-1fixed
tla (PTS)bookworm, sid, buster, bullseye, stretch1.3.5+dfsg1-2fixed
udunits (PTS)stretch2.2.20-1fixed
buster2.2.26-5fixed
bookworm, sid, bullseye2.2.28-3fixed
vnc4 (PTS)buster, stretch4.1.1+X4.3.0+t-1fixed
xmlrpc-c (PTS)stretch1.33.14-4fixed
buster1.33.14-8fixed
bullseye1.33.14-9fixed
bookworm, sid1.33.14-10fixed
xotcl (PTS)stretch1.6.8-3fixed
buster1.6.8-4fixed
bookworm, sid, bullseye1.6.8-4.1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
audacitysource(unstable)1.3.2-1unimportant560919
ayttmsource(unstable)0.6.1-2low560924
cableswigsource(unstable)(unfixed)unimportant560925
cadaversource(unstable)(unfixed)unimportant560926
cmakesource(unstable)2.6.0-6unimportant560927
coin3source(unstable)(unfixed)unimportant560928
expatsourceetch1.95.8-3.4+etch3DSA-1953-2
expatsourcelenny2.0.1-4+lenny3DSA-1953-2
expatsource(unstable)2.0.1-6low560901
gdcmsource(unstable)2.0.14-2low560929
ghostscriptsource(unstable)8.71~dfsg-2unimportant560930
grmonitorsource(unstable)(unfixed)unimportant560931
gs-gplsource(unstable)(unfixed)unimportant
iceapesource(unstable)(unfixed)unimportant560932
iceweaselsource(unstable)(not affected)
insighttoolkitsource(unstable)3.16.0-1unimportant560933
kompozersource(unstable)1:0.8~b1-2low560944
matanzasource(unstable)(unfixed)unimportant560920
mcabbersource(unstable)0.10.0-1low601053
paraviewsource(unstable)3.6.2-1unimportant560935
pocosource(unstable)1.3.6p1-1unimportant560936
python-4suitesource(unstable)1.0.2-7.2low560914
python-xmlsourcelenny0.8.4-10.1+lenny1
python-xmlsource(unstable)(unfixed)low560951
python2.4sourceetch2.4.4-3+etch3DSA-1977-1
python2.4sourcelenny2.4.6-1+lenny1DSA-1977-1
python2.4source(unstable)2.4.4-3+etch3low560913
python2.5sourceetch2.5-5+etch2DSA-1977-1
python2.5sourcelenny2.5.2-15+lenny1DSA-1977-1
python2.5source(unstable)2.5.4-3.1low560912
python2.6source(unstable)2.6.4-4
simgearsource(unstable)2.10.0-1unimportant560937
smartsource(unstable)1.2-5.1low560953
tdomsource(unstable)0.8.3~20080525-1low560921
texlive-binsource(unstable)(not affected)
tlasourcelenny1.3.5+dfsg-14+lenny1
tlasource(unstable)1.3.5+dfsg-15unimportant560940
udunitssource(unstable)2.1.8-4unimportant560922
vnc4source(unstable)(not affected)
vxlsource(unstable)1.13.0-2low560945
w3c-libwwwsource(unstable)(unfixed)
wxwidgets2.6source(unstable)2.6.3.2.2-4unimportant560916
wxwidgets2.8source(unstable)2.8.10.1-2unimportant560917
wxwindows2.4source(unstable)(unfixed)unimportant560915
xmlrpc-csource(unstable)1.06.27-1.1low560942
xotclsource(unstable)(not affected)
xulrunnersource(unstable)(unfixed)unimportant560946

Notes

[lenny] - mcabber <no-dsa> (Minor issue)
[etch] - w3c-libwww <no-dsa> (Minor issue, only used by fringe apps)
[etch] - python-xml <no-dsa> (minor issue)
[etch] - python-4suite <no-dsa> (Minor issue)
[lenny] - python-4suite <no-dsa> (Minor issue)
[etch] - tdom <no-dsa> (minor issue)
[etch] - ayttm <no-dsa> (minor issue)
[lenny] - ayttm <no-dsa> (minor issue)
[etch] - smart <no-dsa> (minor issue)
[lenny] - smart <no-dsa> (minor issue)
[etch] - xmlrpc-c <no-dsa> (minor issue)
[lenny] - xmlrpc-c <no-dsa> (minor issue)
- iceweasel <not-affected> (uses xulrunner; bug #560943)
- texlive-bin <not-affected> (Files are not compiled in, see #560948)
- vnc4 <not-affected> (Not affected, see bug #560949)
- xotcl <not-affected> (Vulnerable code not present in embedded Expat copy)

Search for package or bug name: Reporting problems