CVE-2009-3720

NameCVE-2009-3720
DescriptionThe updatePosition function in lib/xmltok_impl.c in libexpat in Expat 2.0.1, as used in Python, PyXML, w3c-libwww, and other software, allows context-dependent attackers to cause a denial of service (application crash) via an XML document with crafted UTF-8 sequences that trigger a buffer over-read, a different vulnerability than CVE-2009-2625.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDSA-1921-1, DSA-1977-1
Debian Bugs551936, 551938, 560912, 560913, 560914, 560915, 560916, 560917, 560919, 560920, 560921, 560922, 560924, 560925, 560926, 560927, 560928, 560929, 560930, 560931, 560932, 560933, 560935, 560936, 560937, 560940, 560942, 560944, 560945, 560946, 560950, 560951, 560953, 601053

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
audacity (PTS)bullseye2.4.2~dfsg0-5fixed
bookworm3.2.4+dfsg-1fixed
sid, trixie3.7.0+dfsg-1fixed
cadaver (PTS)bullseye0.23.3-2.1vulnerable
bookworm0.24+dfsg-1vulnerable
sid, trixie0.24+dfsg-4vulnerable
cmake (PTS)bullseye3.18.4-2+deb11u1fixed
bookworm3.25.1-1fixed
trixie3.30.5-1fixed
sid3.31.0-1fixed
coin3 (PTS)bullseye4.0.0+ds-1vulnerable
bookworm4.0.0+ds-3vulnerable
sid, trixie4.0.2+ds-2vulnerable
expat (PTS)bullseye2.2.10-2+deb11u5fixed
bullseye (security)2.2.10-2+deb11u6fixed
bookworm, bookworm (security)2.5.0-1+deb12u1fixed
sid, trixie2.6.4-1fixed
gdcm (PTS)bullseye3.0.8-2fixed
bookworm3.0.21-1fixed
sid, trixie3.0.24-5fixed
ghostscript (PTS)bullseye9.53.3~dfsg-7+deb11u7fixed
bullseye (security)9.53.3~dfsg-7+deb11u8fixed
bookworm10.0.0~dfsg-11+deb12u5fixed
bookworm (security)10.0.0~dfsg-11+deb12u6fixed
sid, trixie10.04.0~dfsg-1fixed
matanza (PTS)sid, bookworm, bullseye0.13+ds2-1vulnerable
mcabber (PTS)bullseye1.1.2-1fixed
sid, trixie, bookworm1.1.2-2fixed
paraview (PTS)bullseye5.9.0-2fixed
bookworm5.11.0+dfsg-1fixed
sid5.13.1+dfsg-8fixed
poco (PTS)bullseye1.10.0-6+deb11u1fixed
bookworm1.11.0-3fixed
sid, trixie1.13.0-6fixed
simgear (PTS)bullseye1:2020.3.6+dfsg-1fixed
bookworm1:2020.3.16+dfsg-1fixed
sid, trixie1:2020.3.18+dfsg-2.1fixed
tdom (PTS)bullseye0.9.2-1fixed
bookworm0.9.3-1fixed
sid, trixie0.9.5-1fixed
texlive-bin (PTS)bullseye2020.20200327.54578-7+deb11u1fixed
bullseye (security)2020.20200327.54578-7+deb11u2fixed
bookworm2022.20220321.62855-5.1+deb12u1fixed
sid, trixie2024.20240313.70630+ds-5fixed
tla (PTS)bullseye1.3.5+dfsg1-2fixed
bookworm1.3.5+dfsg1-2.1fixed
sid1.3.5+dfsg2-1fixed
udunits (PTS)bullseye2.2.28-3fixed
bookworm2.2.28-5fixed
sid, trixie2.2.28-7fixed
xmlrpc-c (PTS)bullseye1.33.14-9fixed
bookworm1.33.14-11fixed
sid, trixie1.59.03-6fixed
xotcl (PTS)bullseye1.6.8-4.1fixed
sid, trixie, bookworm1.6.8-5fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
audacitysource(unstable)1.3.2-1unimportant560919
ayttmsource(unstable)0.6.1-2low560924
cableswigsource(unstable)(unfixed)unimportant560925
cadaversource(unstable)(unfixed)unimportant560926
centerimsource(unstable)4.22.10-1low
cmakesource(unstable)2.6.0-6unimportant560927
coin3source(unstable)(unfixed)unimportant560928
expatsourceetch1.95.8-3.4+etch1DSA-1921-1
expatsourcelenny2.0.1-4+lenny1DSA-1921-1
expatsource(unstable)2.0.1-5low551936
gdcmsource(unstable)2.0.14-2low560929
ghostscriptsource(unstable)8.71~dfsg-2unimportant560930
grmonitorsource(unstable)(unfixed)unimportant560931
gs-gplsource(unstable)(unfixed)unimportant
iceapesource(unstable)(unfixed)unimportant560932
iceweaselsource(unstable)(not affected)
insighttoolkitsource(unstable)3.16.0-1unimportant560933
kompozersource(unstable)1:0.8~b1-2unimportant560944
matanzasource(unstable)(unfixed)unimportant560920
mcabbersource(unstable)0.10.0-1low601053
paraviewsource(unstable)3.6.2-1unimportant560935
pocosource(unstable)1.3.6p1-1unimportant560936
python-4suitesource(unstable)1.0.2-7.2low560914
python-xmlsourcelenny0.8.4-10.1+lenny1
python-xmlsource(unstable)(unfixed)low560951
python2.4sourceetch2.4.4-3+etch3DSA-1977-1
python2.4sourcelenny2.4.6-1+lenny1DSA-1977-1
python2.4source(unstable)2.4.4-3etch3low560913
python2.5sourceetch2.5-5+etch2DSA-1977-1
python2.5sourcelenny2.5.2-15+lenny1DSA-1977-1
python2.5source(unstable)2.5.4-3.1low560912
simgearsource(unstable)2.10.0-1unimportant560937
smartsource(unstable)1.2-5low560953
tdomsource(unstable)0.8.3~20080525-1low560921
texlive-binsource(unstable)(not affected)
tlasourcelenny1.3.5+dfsg-14+lenny1
tlasource(unstable)1.3.5+dfsg-15unimportant560940
udunitssource(unstable)2.1.8-4unimportant560922
vnc4source(unstable)(not affected)
vxlsource(unstable)1.13.0-2low560945
w3c-libwwwsource(unstable)(unfixed)low551938
wxwidgets2.6source(unstable)2.6.3.2.2-4unimportant560916
wxwidgets2.8source(unstable)2.8.10.1-2unimportant560917
wxwindows2.4source(unstable)(unfixed)unimportant560915
xmlrpc-csource(unstable)1.06.27-1.1low560942
xotclsource(unstable)1.6.5-1.2low560950
xulrunnersource(unstable)(unfixed)unimportant560946

Notes

[lenny] - mcabber <no-dsa> (Minor issue)
[etch] - w3c-libwww <no-dsa> (Minor issue, only used by fringe apps)
[etch] - python-xml <no-dsa> (minor issue)
[etch] - python-4suite <no-dsa> (Minor issue)
[lenny] - python-4suite <no-dsa> (Minor issue)
[etch] - tdom <no-dsa> (minor issue)
[etch] - ayttm <no-dsa> (minor issue)
[lenny] - ayttm <no-dsa> (minor issue)
[lenny] - centerim <no-dsa> (Minor issue)
[etch] - smart <no-dsa> (minor issue)
[lenny] - smart <no-dsa> (minor issue)
[etch] - xmlrpc-c <no-dsa> (minor issue)
[lenny] - xmlrpc-c <no-dsa> (minor issue)
- iceweasel <not-affected> (uses xulrunner; bug #560943)
- texlive-bin <not-affected> (Files are not compiled in, see #560948)
- vnc4 <not-affected> (Not affected, see bug #560949)
[lenny] - xotcl <no-dsa> (minor issue)
Search for package or bug name: Reporting problems