CVE-2009-3720

Name	CVE-2009-3720
Description	The updatePosition function in lib/xmltok_impl.c in libexpat in Expat 2.0.1, as used in Python, PyXML, w3c-libwww, and other software, allows context-dependent attackers to cause a denial of service (application crash) via an XML document with crafted UTF-8 sequences that trigger a buffer over-read, a different vulnerability than CVE-2009-2625.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DSA-1921-1, DSA-1977-1
Debian Bugs	551936, 551938, 560912, 560913, 560914, 560915, 560916, 560917, 560919, 560920, 560921, 560922, 560924, 560925, 560926, 560927, 560928, 560929, 560930, 560931, 560932, 560933, 560935, 560936, 560937, 560940, 560942, 560944, 560945, 560946, 560950, 560951, 560953, 601053

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
audacity (PTS)	buster	2.2.2-1	fixed
	bullseye	2.4.2~dfsg0-5	fixed
	bookworm	3.2.4+dfsg-1	fixed
	sid, trixie	3.4.2+dfsg-1	fixed
cadaver (PTS)	buster, bullseye	0.23.3-2.1	vulnerable
	bookworm	0.24+dfsg-1	vulnerable
	sid, trixie	0.24+dfsg-3	vulnerable
cmake (PTS)	buster	3.13.4-1	fixed
	bullseye	3.18.4-2+deb11u1	fixed
	bookworm	3.25.1-1	fixed
	sid, trixie	3.28.3-1	fixed
coin3 (PTS)	buster	4.0.0~CMake~6f54f1602475+ds1-2	vulnerable
	bullseye	4.0.0+ds-1	vulnerable
	bookworm	4.0.0+ds-3	vulnerable
	trixie	4.0.2+ds-1	vulnerable
	sid	4.0.2+ds-1.2	vulnerable
expat (PTS)	buster	2.2.6-2+deb10u4	fixed
	buster (security)	2.2.6-2+deb10u7	fixed
	bullseye (security), bullseye	2.2.10-2+deb11u5	fixed
	bookworm	2.5.0-1	fixed
	sid, trixie	2.6.2-1	fixed
gdcm (PTS)	buster	2.8.8-9	fixed
	bullseye	3.0.8-2	fixed
	bookworm	3.0.21-1	fixed
	trixie	3.0.22-2	fixed
	sid	3.0.22-3	fixed
ghostscript (PTS)	buster	9.27~dfsg-2+deb10u5	fixed
	buster (security)	9.27~dfsg-2+deb10u9	fixed
	bullseye	9.53.3~dfsg-7+deb11u6	fixed
	bullseye (security)	9.53.3~dfsg-7+deb11u5	fixed
	bookworm, bookworm (security)	10.0.0~dfsg-11+deb12u3	fixed
	trixie	10.02.1~dfsg-3	fixed
	sid	10.03.0~dfsg-1	fixed
matanza (PTS)	buster	0.13+ds1-6	vulnerable
	sid, trixie, bookworm, bullseye	0.13+ds2-1	vulnerable
mcabber (PTS)	buster	1.1.0-1.1	fixed
	bullseye	1.1.2-1	fixed
	sid, trixie, bookworm	1.1.2-2	fixed
paraview (PTS)	buster	5.4.1+dfsg4-3.1	fixed
	bullseye	5.9.0-2	fixed
	bookworm	5.11.0+dfsg-1	fixed
	sid, trixie	5.11.2+dfsg-6	fixed
poco (PTS)	buster	1.9.0-5	fixed
	bullseye	1.10.0-6+deb11u1	fixed
	bookworm	1.11.0-3	fixed
	sid	1.13.0-6	fixed
simgear (PTS)	buster	1:2018.3.2+dfsg-5	fixed
	bullseye	1:2020.3.6+dfsg-1	fixed
	bookworm	1:2020.3.16+dfsg-1	fixed
	sid, trixie	1:2020.3.18+dfsg-2.1	fixed
smart (PTS)	buster	1.4-2	fixed
tdom (PTS)	buster	0.9.1-1	fixed
	bullseye	0.9.2-1	fixed
	sid, trixie, bookworm	0.9.3-1	fixed
texlive-bin (PTS)	buster	2018.20181218.49446-1	fixed
	buster (security)	2018.20181218.49446-1+deb10u2	fixed
	bullseye (security), bullseye	2020.20200327.54578-7+deb11u1	fixed
	bookworm	2022.20220321.62855-5.1+deb12u1	fixed
	sid, trixie	2023.20230311.66589-9	fixed
tla (PTS)	buster, bullseye	1.3.5+dfsg1-2	fixed
	bookworm	1.3.5+dfsg1-2.1	fixed
	sid, trixie	1.3.5+dfsg1-3	fixed
udunits (PTS)	buster	2.2.26-5	fixed
	bullseye	2.2.28-3	fixed
	bookworm	2.2.28-5	fixed
	sid, trixie	2.2.28-7	fixed
vnc4 (PTS)	buster	4.1.1+X4.3.0+t-1	fixed
xmlrpc-c (PTS)	buster	1.33.14-8	fixed
	bullseye	1.33.14-9	fixed
	trixie, bookworm	1.33.14-11	fixed
	sid	1.33.14-12	fixed
xotcl (PTS)	buster	1.6.8-4	fixed
	bullseye	1.6.8-4.1	fixed
	sid, trixie, bookworm	1.6.8-5	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
audacity	source	(unstable)	1.3.2-1	unimportant		560919
ayttm	source	(unstable)	0.6.1-2	low		560924
cableswig	source	(unstable)	(unfixed)	unimportant		560925
cadaver	source	(unstable)	(unfixed)	unimportant		560926
centerim	source	(unstable)	4.22.10-1	low
cmake	source	(unstable)	2.6.0-6	unimportant		560927
coin3	source	(unstable)	(unfixed)	unimportant		560928
expat	source	etch	1.95.8-3.4+etch1		DSA-1921-1
expat	source	lenny	2.0.1-4+lenny1		DSA-1921-1
expat	source	(unstable)	2.0.1-5	low		551936
gdcm	source	(unstable)	2.0.14-2	low		560929
ghostscript	source	(unstable)	8.71~dfsg-2	unimportant		560930
grmonitor	source	(unstable)	(unfixed)	unimportant		560931
gs-gpl	source	(unstable)	(unfixed)	unimportant
iceape	source	(unstable)	(unfixed)	unimportant		560932
iceweasel	source	(unstable)	(not affected)
insighttoolkit	source	(unstable)	3.16.0-1	unimportant		560933
kompozer	source	(unstable)	1:0.8~b1-2	unimportant		560944
matanza	source	(unstable)	(unfixed)	unimportant		560920
mcabber	source	(unstable)	0.10.0-1	low		601053
paraview	source	(unstable)	3.6.2-1	unimportant		560935
poco	source	(unstable)	1.3.6p1-1	unimportant		560936
python-4suite	source	(unstable)	1.0.2-7.2	low		560914
python-xml	source	lenny	0.8.4-10.1+lenny1
python-xml	source	(unstable)	(unfixed)	low		560951
python2.4	source	etch	2.4.4-3+etch3		DSA-1977-1
python2.4	source	lenny	2.4.6-1+lenny1		DSA-1977-1
python2.4	source	(unstable)	2.4.4-3etch3	low		560913
python2.5	source	etch	2.5-5+etch2		DSA-1977-1
python2.5	source	lenny	2.5.2-15+lenny1		DSA-1977-1
python2.5	source	(unstable)	2.5.4-3.1	low		560912
simgear	source	(unstable)	2.10.0-1	unimportant		560937
smart	source	(unstable)	1.2-5	low		560953
tdom	source	(unstable)	0.8.3~20080525-1	low		560921
texlive-bin	source	(unstable)	(not affected)
tla	source	lenny	1.3.5+dfsg-14+lenny1
tla	source	(unstable)	1.3.5+dfsg-15	unimportant		560940
udunits	source	(unstable)	2.1.8-4	unimportant		560922
vnc4	source	(unstable)	(not affected)
vxl	source	(unstable)	1.13.0-2	low		560945
w3c-libwww	source	(unstable)	(unfixed)	low		551938
wxwidgets2.6	source	(unstable)	2.6.3.2.2-4	unimportant		560916
wxwidgets2.8	source	(unstable)	2.8.10.1-2	unimportant		560917
wxwindows2.4	source	(unstable)	(unfixed)	unimportant		560915
xmlrpc-c	source	(unstable)	1.06.27-1.1	low		560942
xotcl	source	(unstable)	1.6.5-1.2	low		560950
xulrunner	source	(unstable)	(unfixed)	unimportant		560946

Notes

[lenny] - mcabber <no-dsa> (Minor issue)
[etch] - w3c-libwww <no-dsa> (Minor issue, only used by fringe apps)
[etch] - python-xml <no-dsa> (minor issue)
[etch] - python-4suite <no-dsa> (Minor issue)
[lenny] - python-4suite <no-dsa> (Minor issue)
[etch] - tdom <no-dsa> (minor issue)
[etch] - ayttm <no-dsa> (minor issue)
[lenny] - ayttm <no-dsa> (minor issue)
[lenny] - centerim <no-dsa> (Minor issue)
[etch] - smart <no-dsa> (minor issue)
[lenny] - smart <no-dsa> (minor issue)
[etch] - xmlrpc-c <no-dsa> (minor issue)
[lenny] - xmlrpc-c <no-dsa> (minor issue)
- iceweasel <not-affected> (uses xulrunner; bug #560943)
- texlive-bin <not-affected> (Files are not compiled in, see #560948)
- vnc4 <not-affected> (Not affected, see bug #560949)
[lenny] - xotcl <no-dsa> (minor issue)