CVE-2019-20201

Name	CVE-2019-20201
Description	An issue was discovered in ezXML 0.8.3 through 0.8.6. The ezxml_parse_* functions mishandle XML entities, leading to an infinite loop in which memory allocations occur.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs	989360, 989361, 989363, 989364

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
mapcache (PTS)	bullseye	1.10.0-2	vulnerable
	bookworm	1.14.0-1	vulnerable
	sid, trixie	1.14.1-3	vulnerable
netcdf (PTS)	bullseye	1:4.7.4-1	vulnerable
	bookworm	1:4.9.0-3	fixed
	sid, trixie	1:4.9.3-1	fixed
netcdf-parallel (PTS)	bullseye	1:4.7.4-1	vulnerable
	bookworm	1:4.9.0-1	fixed
	sid, trixie	1:4.9.3-2	fixed
scilab (PTS)	bullseye	6.1.0+dfsg1-7	vulnerable
	bookworm	6.1.1+dfsg2-6	vulnerable
	sid, trixie	2024.1.0+dfsg-6	vulnerable

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Debian Bugs
mapcache	source	(unstable)	(unfixed)	unimportant	989363
netcdf	source	stretch	(not affected)
netcdf	source	(unstable)	1:4.9.0-1		989360
netcdf-parallel	source	(unstable)	1:4.9.0-1		989361
scilab	source	(unstable)	(unfixed)	unimportant	989364

Notes

[bullseye] - netcdf <ignored> (Minor issue)
[buster] - netcdf <ignored> (Minor issue)
[stretch] - netcdf <not-affected> (vulnerable code not present)
[bullseye] - netcdf-parallel <ignored> (Minor issue)
[buster] - netcdf-parallel <ignored> (Minor issue)
https://sourceforge.net/p/ezxml/bugs/16/
mapcache only uses ezxml to parse config files which are trusted