Ubuntu
expat package

Sync expat 2.2.0-1 (main) from Debian unstable (main)

Bug #1600717 reported by Gianfranco Costamagna
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
expat (Ubuntu)
Fix Released
Wishlist
Unassigned

Bug Description

Please sync expat 2.2.0-1 (main) from Debian unstable (main)

Explanation of the Ubuntu delta and why it can be dropped:
  * SECURITY UPDATE: unanticipated internal calls to srand
    - debian/patches/CVE-2012-6702-1.patch: remove srand, use more entropy
      in lib/xmlparse.c.
    - debian/patches/CVE-2012-6702-2.patch: use a prime that fits 32bits on
      32bit platforms in lib/xmlparse.c.
    - CVE-2012-6702
  * SECURITY UPDATE: use of too little entropy
    - debian/patches/CVE-2016-5300-1.patch: extract method
      gather_time_entropy in lib/xmlparse.c.
    - debian/patches/CVE-2016-5300-2.patch: extract entropy from XML_Parser
      address in lib/xmlparse.c.
    - CVE-2016-5300
  * SECURITY UPDATE: denial of service and possible code execution via
    malformed documents
    - debian/patches/CVE-2016-0718.patch: fix out of bounds memory access
      and integer overflow in lib/xmlparse.c, lib/xmltok.c, lib/xmltok.h,
      lib/xmltok_impl.c.
    - CVE-2016-0718
  * SECURITY UPDATE: integer overflows in XML_GetBuffer
    - debian/patches/CVE-2015-1283-refix.patch: improved existing fix in
      lib/xmlparse.c.
    - CVE-2015-1283

Everything is part of Debian and the new upstream release.

Changelog entries since current yakkety version 2.1.1-1ubuntu2:

expat (2.2.0-1) unstable; urgency=low

  * New upstream release, update symbols accordingly.
  * Use upstream manpage for xmlwf.
  * Drop all patches as this release contains those.

 -- Laszlo Boszormenyi (GCS) <email address hidden> Tue, 21 Jun 2016 15:29:58 +0000

expat (2.1.1-3) unstable; urgency=high

  * Use upstream fix for the following security vulnerabilities:
    - CVE-2012-6702, unanticipated internal calls to srand
    - CVE-2016-5300, use of too little entropy

 -- Laszlo Boszormenyi (GCS) <email address hidden> Sun, 05 Jun 2016 00:17:46 +0000

expat (2.1.1-2) unstable; urgency=high

  * Avoid relying on undefined behavior in CVE-2015-1283 fix.
  * Apply upstream patch to fix the root cause of CVE-2016-0718 and
    CVE-2016-0719 vulnerabilities.
  * Update Standards-Version to 3.9.8 .

 -- Laszlo Boszormenyi (GCS) <email address hidden> Mon, 16 May 2016 05:35:08 +0000

Gianfranco Costamagna (costamagnagianfranco)
Changed in expat (Ubuntu):
importance: Undecided → Wishlist
Revision history for this message
Daniel Holbach (dholbach) wrote :

This bug was fixed in the package expat - 2.2.0-1
Sponsored for LocutusOfBorg (costamagnagianfranco)

---------------
expat (2.2.0-1) unstable; urgency=low

  * New upstream release, update symbols accordingly.
  * Use upstream manpage for xmlwf.
  * Drop all patches as this release contains those.

 -- Laszlo Boszormenyi (GCS) <email address hidden> Tue, 21 Jun 2016 15:29:58 +0000

expat (2.1.1-3) unstable; urgency=high

  * Use upstream fix for the following security vulnerabilities:
    - CVE-2012-6702, unanticipated internal calls to srand
    - CVE-2016-5300, use of too little entropy

 -- Laszlo Boszormenyi (GCS) <email address hidden> Sun, 05 Jun 2016 00:17:46 +0000

expat (2.1.1-2) unstable; urgency=high

  * Avoid relying on undefined behavior in CVE-2015-1283 fix.
  * Apply upstream patch to fix the root cause of CVE-2016-0718 and
    CVE-2016-0719 vulnerabilities.
  * Update Standards-Version to 3.9.8 .

 -- Laszlo Boszormenyi (GCS) <email address hidden> Mon, 16 May 2016 05:35:08 +0000

Changed in expat (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.