CVE-2009-3720

NameCVE-2009-3720
DescriptionThe updatePosition function in lib/xmltok_impl.c in libexpat in Expat 2.0.1, as used in Python, PyXML, w3c-libwww, and other software, allows context-dependent attackers to cause a denial of service (application crash) via an XML document with crafted UTF-8 sequences that trigger a buffer over-read, a different vulnerability than CVE-2009-2625.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
ReferencesDSA-1921-1, DSA-1977-1
NVD severitymedium (attack range: remote)
Debian Bugs551936, 551938, 560912, 560913, 560914, 560915, 560916, 560917, 560919, 560920, 560921, 560922, 560924, 560925, 560926, 560927, 560928, 560929, 560930, 560931, 560932, 560933, 560935, 560936, 560937, 560940, 560942, 560944, 560945, 560946, 560950, 560951, 560953, 601053

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
audacity (PTS)wheezy2.0.1-1fixed
jessie2.0.6-2fixed
buster, sid, stretch2.1.2-2fixed
ayttm (PTS)wheezy, jessie0.6.3-3fixed
cableswig (PTS)wheezy0.1.0+cvs20111009-1vulnerable
jessie0.1.0+cvs20111009-1.1vulnerable
cadaver (PTS)wheezy0.23.3-1vulnerable
buster, sid, jessie, stretch0.23.3-2vulnerable
centerim (PTS)wheezy4.22.10-2fixed
cmake (PTS)wheezy2.8.9-1fixed
jessie3.0.2-1+deb8u1fixed
stretch3.7.2-1fixed
buster, sid3.9.3-1fixed
coin3 (PTS)wheezy3.1.3-2.2vulnerable
jessie3.1.4~abc9f50-7vulnerable
buster, sid, stretch3.1.4~abc9f50+dfsg1-2vulnerable
expat (PTS)wheezy2.1.0-1+deb7u2fixed
wheezy (security)2.1.0-1+deb7u5fixed
jessie (security), jessie2.1.0-6+deb8u4fixed
stretch (security), stretch2.2.0-2+deb9u1fixed
buster, sid2.2.3-1fixed
gdcm (PTS)wheezy2.2.0-14.1fixed
jessie2.4.4-3+deb8u1fixed
stretch2.6.6-3fixed
buster, sid2.8.3-1fixed
ghostscript (PTS)wheezy9.05~dfsg-6.3+deb7u2fixed
wheezy (security)9.05~dfsg-6.3+deb7u7fixed
jessie9.06~dfsg-2+deb8u5fixed
jessie (security)9.06~dfsg-2+deb8u6fixed
stretch (security), stretch9.20~dfsg-3.2+deb9u1fixed
buster, sid9.22~dfsg-1fixed
iceweasel (PTS)wheezy, wheezy (security)38.8.0esr-1~deb7u1fixed
jessie (security)38.8.0esr-1~deb8u1fixed
insighttoolkit (PTS)wheezy3.20.1+git20120521-3fixed
jessie3.20.1+git20120521-5fixed
matanza (PTS)wheezy0.13+ds1-1vulnerable
buster, sid, jessie, stretch0.13+ds1-5vulnerable
mcabber (PTS)wheezy0.10.1-3fixed
wheezy (security)0.10.1-3+deb7u1fixed
jessie0.10.2-1fixed
buster, sid, stretch1.0.4-1.1fixed
paraview (PTS)wheezy3.14.1-6fixed
jessie4.1.0+dfsg+1-1fixed
stretch5.1.2+dfsg1-2fixed
buster, sid5.4.1+dfsg3-1fixed
poco (PTS)wheezy1.3.6p1-4fixed
jessie1.3.6p1-5fixed
stretch1.7.6+dfsg1-5fixed
buster, sid1.7.8+dfsg1-3fixed
simgear (PTS)jessie3.0.0-6fixed
stretch1:2016.4.4+dfsg-2fixed
buster1:2017.2.1+dfsg-2fixed
sid1:2017.3.1+dfsg-1fixed
smart (PTS)wheezy, buster, sid, jessie, stretch1.4-2fixed
tdom (PTS)wheezy0.8.3~20080525-3+nmu2fixed
jessie, stretch0.8.3-1fixed
buster, sid0.9.0-1fixed
texlive-bin (PTS)wheezy2012.20120628-4fixed
jessie2014.20140926.35254-6fixed
stretch2016.20160513.41080.dfsg-2fixed
buster, sid2017.20170613.44572-6fixed
tla (PTS)wheezy1.3.5+dfsg-18fixed
jessie1.3.5+dfsg1-1fixed
buster, sid, stretch1.3.5+dfsg1-2fixed
udunits (PTS)wheezy2.1.23-3fixed
jessie2.2.17-1fixed
stretch2.2.20-1fixed
buster, sid2.2.25-2fixed
vnc4 (PTS)wheezy4.1.1+X4.3.0-37.1fixed
jessie4.1.1+X4.3.0-37.6fixed
buster, sid, stretch4.1.1+X4.3.0+t-1fixed
vxl (PTS)wheezy1.14.0-18fixed
jessie1.17.0.dfsg-1fixed
wxwidgets2.8 (PTS)wheezy2.8.12.1-12fixed
xmlrpc-c (PTS)wheezy1.16.33-3.2fixed
jessie1.33.14-0.2fixed
stretch1.33.14-4fixed
buster, sid1.33.14-8fixed
xotcl (PTS)wheezy1.6.7-2fixed
jessie1.6.8-1fixed
buster, sid, stretch1.6.8-3fixed
xulrunner (PTS)wheezy, wheezy (security)24.8.1esr-2~deb7u1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
audacitysource(unstable)1.3.2-1unimportant560919
ayttmsource(unstable)0.6.1-2low560924
cableswigsource(unstable)(unfixed)unimportant560925
cadaversource(unstable)(unfixed)unimportant560926
centerimsource(unstable)4.22.10-1low
cmakesource(unstable)2.6.0-6unimportant560927
coin3source(unstable)(unfixed)unimportant560928
expatsource(unstable)2.0.1-5low551936
expatsourceetch1.95.8-3.4+etch1mediumDSA-1921-1
expatsourcelenny2.0.1-4+lenny1mediumDSA-1921-1
gdcmsource(unstable)2.0.14-2low560929
ghostscriptsource(unstable)8.71~dfsg-2unimportant560930
grmonitorsource(unstable)(unfixed)unimportant560931
gs-gplsource(unstable)(unfixed)unimportant
iceapesource(unstable)(unfixed)unimportant560932
iceweaselsource(unstable)(not affected)
insighttoolkitsource(unstable)3.16.0-1unimportant560933
kompozersource(unstable)1:0.8~b1-2unimportant560944
matanzasource(unstable)(unfixed)unimportant560920
mcabbersource(unstable)0.10.0-1low601053
paraviewsource(unstable)3.6.2-1unimportant560935
pocosource(unstable)1.3.6p1-1unimportant560936
python-4suitesource(unstable)1.0.2-7.2low560914
python-xmlsource(unstable)(unfixed)low560951
python-xmlsourcelenny0.8.4-10.1+lenny1medium
python2.4source(unstable)2.4.4-3etch3low560913
python2.4sourceetch2.4.4-3+etch3mediumDSA-1977-1
python2.4sourcelenny2.4.6-1+lenny1mediumDSA-1977-1
python2.5source(unstable)2.5.4-3.1low560912
python2.5sourceetch2.5-5+etch2mediumDSA-1977-1
python2.5sourcelenny2.5.2-15+lenny1mediumDSA-1977-1
simgearsource(unstable)2.10.0-1unimportant560937
smartsource(unstable)1.2-5low560953
tdomsource(unstable)0.8.3~20080525-1low560921
texlive-binsource(unstable)(not affected)
tlasource(unstable)1.3.5+dfsg-15unimportant560940
tlasourcelenny1.3.5+dfsg-14+lenny1medium
udunitssource(unstable)2.1.8-4unimportant560922
vnc4source(unstable)(not affected)
vxlsource(unstable)1.13.0-2low560945
w3c-libwwwsource(unstable)(unfixed)low551938
wxwidgets2.6source(unstable)2.6.3.2.2-4unimportant560916
wxwidgets2.8source(unstable)2.8.10.1-2unimportant560917
wxwindows2.4source(unstable)(unfixed)unimportant560915
xmlrpc-csource(unstable)1.06.27-1.1low560942
xotclsource(unstable)1.6.5-1.2low560950
xulrunnersource(unstable)(unfixed)unimportant560946

Notes

[lenny] - mcabber <no-dsa> (Minor issue)
[etch] - w3c-libwww <no-dsa> (Minor issue, only used by fringe apps)
[etch] - python-xml <no-dsa> (minor issue)
[etch] - python-4suite <no-dsa> (Minor issue)
[lenny] - python-4suite <no-dsa> (Minor issue)
[etch] - tdom <no-dsa> (minor issue)
[etch] - ayttm <no-dsa> (minor issue)
[lenny] - ayttm <no-dsa> (minor issue)
[lenny] - centerim <no-dsa> (Minor issue)
[etch] - smart <no-dsa> (minor issue)
[lenny] - smart <no-dsa> (minor issue)
[etch] - xmlrpc-c <no-dsa> (minor issue)
[lenny] - xmlrpc-c <no-dsa> (minor issue)
- iceweasel <not-affected> (uses xulrunner; bug #560943)
- texlive-bin <not-affected> (Files are not compiled in, see #560948)
- vnc4 <not-affected> (Not affected, see bug #560949)
[lenny] - xotcl <no-dsa> (minor issue)

Search for package or bug name: Reporting problems