CVE-2016-0729

NameCVE-2016-0729
DescriptionMultiple buffer overflows in (1) internal/XMLReader.cpp, (2) util/XMLURL.cpp, and (3) util/XMLUri.cpp in the XML Parser library in Apache Xerces-C before 3.1.3 allow remote attackers to cause a denial of service (segmentation fault or memory corruption) or possibly execute arbitrary code via a crafted document.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-433-1, DSA-3493-1
Debian Bugs815907

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
xerces-c (PTS)stretch3.1.4+debian-2+deb9u1fixed
stretch (security)3.1.4+debian-2+deb9u2fixed
buster, buster (security)3.2.2+debian-1+deb10u1fixed
bookworm, sid, bullseye3.2.3+debian-3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
xerces-csourcesqueeze3.1.1-1+deb6u2DLA-433-1
xerces-csourcewheezy3.1.1-3+deb7u2DSA-3493-1
xerces-csourcejessie3.1.1-5.1+deb8u1DSA-3493-1
xerces-csource(unstable)3.1.3+debian-1815907

Notes

http://xerces.apache.org/xerces-c/secadv/CVE-2016-0729.txt
http://svn.apache.org/viewvc?view=revision&revision=1727978

Search for package or bug name: Reporting problems