CVE-2019-20200

Name	CVE-2019-20200
Description	An issue was discovered in ezXML 0.8.3 through 0.8.6. The function ezxml_decode, while parsing crafted a XML file, performs incorrect memory handling, leading to a heap-based buffer over-read in the "normalize line endings" feature.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)
Debian Bugs	989360, 989361, 989363, 989364

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
mapcache (PTS)	buster	1.6.1-3	vulnerable
	bullseye	1.10.0-2	vulnerable
	bookworm	1.12.1-1	vulnerable
	sid	1.14.0-1	vulnerable
netcdf (PTS)	buster	1:4.6.2-1	vulnerable
	bullseye	1:4.7.4-1	vulnerable
	bookworm, sid	1:4.9.0-3	fixed
netcdf-parallel (PTS)	buster	1:4.6.2-1	vulnerable
	bullseye	1:4.7.4-1	vulnerable
	bookworm, sid	1:4.9.0-1	fixed
scilab (PTS)	buster	6.0.1-10+deb10u1	vulnerable
	bullseye	6.1.0+dfsg1-7	vulnerable
	bookworm, sid	6.1.1+dfsg2-4	vulnerable

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Debian Bugs
mapcache	source	(unstable)	(unfixed)	unimportant	989363
netcdf	source	stretch	(not affected)
netcdf	source	(unstable)	1:4.9.0-1		989360
netcdf-parallel	source	(unstable)	1:4.9.0-1		989361
scilab	source	(unstable)	(unfixed)		989364

Notes

[bullseye] - scilab <no-dsa> (Minor issue)
[buster] - scilab <no-dsa> (Minor issue)
[stretch] - scilab <no-dsa> (Minor issue)
[bullseye] - netcdf <ignored> (Minor issue)
[buster] - netcdf <ignored> (Minor issue)
[stretch] - netcdf <not-affected> (vulnerable code not present)
[bullseye] - netcdf-parallel <ignored> (Minor issue)
[buster] - netcdf-parallel <ignored> (Minor issue)
https://sourceforge.net/p/ezxml/bugs/19/
mapcache only uses ezxml to parse config files which are trusted