|
libxmltok (1.2-4.1ubuntu3.1) oracular-security; urgency=medium
* SECURITY UPDATE: integer overflow
- xmlparse/xmlparse.c: add integer overflow checks and signed
arthimetic
- CVE-2022-22822, CVE-2022-22823, CVE-2022-22824, CVE-2022-22825,
- CVE-2022-22826, CVE-2022-22827, CVE-2015-1283, CVE-2016-4472
* SECURITY UPDATE: buffer overflow and integer overflow
- xmlparse/xmlparse.c: assign a result for XmlConvert calls and verify
if it matches with the expected XML_Convert_Result enum values.
Add an integer overflow check and proper signed arithmetic
overflow for blockSize in poolGrow().
- xmltok/xmltok.c: add XML_Convert_Result return value for utf8_toUtf8,
utf8_toUtf16, latin1_toUtf8, latin1_toUtf16, ascii_toUtf8, toUtf8,
toUtf16, unknown_toUtf8 and unknown_toUtf16 methods.
- xmltok/xmltok.h: add XML_Convert_Result enum values and return values
for the above methods definitions.
- xmltok/xmltok_impl.c: change if statement for ptr pointer when
comparing to end pointer.
- CVE-2016-0718
* SECURITY UPDATE: denial of service
- xmlparse/xmlparse.c: add a break statement in setElementTypePrefix().
- CVE-2018-20843
* SECURITY UPDATE: Heap-based buffer over-read
- xmlparse/xmlparse.c: add a new parameter, allowClosingDoctype,
to doProlog() and when in case XML_ROLE_DOCTYPE_CLOSE, verify if
this parameter is not true and return an error. When invoking
doProlog from prologProcessor(), passes allowClosingDoctype as true,
and when invoking from processInternalParamEntity() passes
allowClosingDoctype as false.
- CVE-2019-15903
* SECURITY UPDATE: Integer overflow
- debian/patches/CVE-2021-46143.patch: add an integer overflow check
for groupSize variable at doProlog() in xmlparse/xmlparse.c.
- CVE-2021-46143
-- Bruce Cable <email address hidden> Mon, 06 Jan 2025 15:43:25 +1100
|
| CVE-2022-22822 |
addBinding in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. |
| CVE-2022-22823 |
build_model in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. |
| CVE-2022-22824 |
defineAttribute in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. |
| CVE-2022-22825 |
lookup in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. |
| CVE-2022-22826 |
nextScaffoldPart in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. |
| CVE-2022-22827 |
storeAtts in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. |
| CVE-2015-1283 |
Multiple integer overflows in the XML_GetBuffer function in Expat through 2.1.0, as used in Google Chrome before 44.0.2403.89 and other products, all |
| CVE-2016-4472 |
The overflow protection in Expat is removed by compilers with certain optimization settings, which allows remote attackers to cause a denial of servi |
| CVE-2016-0718 |
Expat allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a malformed input document, whic |
| CVE-2018-20843 |
In libexpat in Expat before 2.2.7, XML input including XML names that contain a large number of colons could make the XML parser consume a high amoun |
| CVE-2019-15903 |
In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early; a consecutive call to |
| CVE-2021-46143 |
In doProlog in xmlparse.c in Expat (aka libexpat) before 2.4.3, an integer overflow exists for m_groupSize. |
|
