Mandriva Linux Security Advisory 2009-316 - The big2_toUtf8 function in lib/xmltok.c in libexpat in Expat 2.0.1, as used in the XML-Twig module for Perl, allows context-dependent attackers to cause a denial of service (application crash) via an XML document with malformed UTF-8 sequences that trigger a buffer over-read, related to the doProlog function in lib/xmlparse.c, a different vulnerability than and CVE-2009-3720. Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers This update provides a solution to these vulnerabilities. Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers. The previous (MDVSA-2009:316-2) updates provided packages for 2008.0/2009.0/2009.1/2010.0/mes5 that did not have an increased release number which prevented the packages from hitting the mirrors.
65a319ba6e69c9835b128c925cf1694bfae7fe20c0b9a69df9bd5a8c82228cc1
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2009:316-3
http://www.mandriva.com/security/
_______________________________________________________________________
Package : expat
Date : January 10, 2010
Affected: 2008.0, 2009.0, 2009.1, 2010.0, Enterprise Server 5.0
_______________________________________________________________________
Problem Description:
A vulnerability has been found and corrected in expat:
The big2_toUtf8 function in lib/xmltok.c in libexpat in Expat 2.0.1,
as used in the XML-Twig module for Perl, allows context-dependent
attackers to cause a denial of service (application crash) via an
XML document with malformed UTF-8 sequences that trigger a buffer
over-read, related to the doProlog function in lib/xmlparse.c,
a different vulnerability than CVE-2009-2625 and CVE-2009-3720
(CVE-2009-3560).
Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers
This update provides a solution to these vulnerabilities.
Packages for 2008.0 are provided for Corporate Desktop 2008.0
customers.
Update:
The previous (MDVSA-2009:316-2) updates provided packages for
2008.0/2009.0/2009.1/2010.0/mes5 that did not have an increased
release number which prevented the packages from hitting the mirrors.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3560
https://bugzilla.novell.com/show_bug.cgi?id=566434
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2008.0:
13774ef90c141db6326c7262d3c320c8 2008.0/i586/expat-2.0.1-4.3mdv2008.0.i586.rpm
8cc403e46d7b6c5239763ccef3ac97f6 2008.0/i586/libexpat1-2.0.1-4.3mdv2008.0.i586.rpm
97e7266c3a2bdd6b1e2b3b3046904c98 2008.0/i586/libexpat1-devel-2.0.1-4.3mdv2008.0.i586.rpm
00f546038b5b8efae7e7cbfaa806dae8 2008.0/SRPMS/expat-2.0.1-4.3mdv2008.0.src.rpm
Mandriva Linux 2008.0/X86_64:
bfe2cc21ead72b18a505ac13d3b0857c 2008.0/x86_64/expat-2.0.1-4.3mdv2008.0.x86_64.rpm
dac863ff59aed4282ae59e321f203f93 2008.0/x86_64/lib64expat1-2.0.1-4.3mdv2008.0.x86_64.rpm
37d732528c186489897ecdf7f9585cb8 2008.0/x86_64/lib64expat1-devel-2.0.1-4.3mdv2008.0.x86_64.rpm
00f546038b5b8efae7e7cbfaa806dae8 2008.0/SRPMS/expat-2.0.1-4.3mdv2008.0.src.rpm
Mandriva Linux 2009.0:
1b5e3348c1bbe4ecdbe2d171dbc92f2a 2009.0/i586/expat-2.0.1-7.3mdv2009.0.i586.rpm
d4df428ea77983271d7c31f9bce59669 2009.0/i586/libexpat1-2.0.1-7.3mdv2009.0.i586.rpm
0d0802d87eb78bc64f3ca8195d7cc17b 2009.0/i586/libexpat1-devel-2.0.1-7.3mdv2009.0.i586.rpm
6508d5fba047cf35b6d61259266b82ed 2009.0/SRPMS/expat-2.0.1-7.3mdv2009.0.src.rpm
Mandriva Linux 2009.0/X86_64:
765f5d35b0e1b4ff33d426dc79296851 2009.0/x86_64/expat-2.0.1-7.3mdv2009.0.x86_64.rpm
0905a279e62d648abaa025dec1f262eb 2009.0/x86_64/lib64expat1-2.0.1-7.3mdv2009.0.x86_64.rpm
2562ec57be33f72dbaa5d04cd4a3e566 2009.0/x86_64/lib64expat1-devel-2.0.1-7.3mdv2009.0.x86_64.rpm
6508d5fba047cf35b6d61259266b82ed 2009.0/SRPMS/expat-2.0.1-7.3mdv2009.0.src.rpm
Mandriva Linux 2009.1:
fe1d2d61e0447990a8fea4e133f1c0d1 2009.1/i586/expat-2.0.1-8.3mdv2009.1.i586.rpm
ee800d042612c90ac48004d026d87e18 2009.1/i586/libexpat1-2.0.1-8.3mdv2009.1.i586.rpm
8a556a2c5bcd40d1160fb86d3b24ad93 2009.1/i586/libexpat1-devel-2.0.1-8.3mdv2009.1.i586.rpm
591ceb30bbc21cce048c04d5f67cc3d7 2009.1/SRPMS/expat-2.0.1-8.3mdv2009.1.src.rpm
Mandriva Linux 2009.1/X86_64:
7532d0529c362180c9a1a8fd206f13fd 2009.1/x86_64/expat-2.0.1-8.3mdv2009.1.x86_64.rpm
6b7a604d8c15a39c59bf04e7f26bb90e 2009.1/x86_64/lib64expat1-2.0.1-8.3mdv2009.1.x86_64.rpm
adc29880c73da313bc69d23085963dcd 2009.1/x86_64/lib64expat1-devel-2.0.1-8.3mdv2009.1.x86_64.rpm
591ceb30bbc21cce048c04d5f67cc3d7 2009.1/SRPMS/expat-2.0.1-8.3mdv2009.1.src.rpm
Mandriva Linux 2010.0:
eb556df9f00d67acd20a0b3a4d21f487 2010.0/i586/expat-2.0.1-10.2mdv2010.0.i586.rpm
3f2fe4b31ef2e572aa0f103cec4cac02 2010.0/i586/libexpat1-2.0.1-10.2mdv2010.0.i586.rpm
7787b1cfae235d1146ead95c67240832 2010.0/i586/libexpat1-devel-2.0.1-10.2mdv2010.0.i586.rpm
91c4034ba57643ad09893ee550b124fb 2010.0/SRPMS/expat-2.0.1-10.2mdv2010.0.src.rpm
Mandriva Linux 2010.0/X86_64:
339cbedef9d61586aa4bdef40801db0d 2010.0/x86_64/expat-2.0.1-10.2mdv2010.0.x86_64.rpm
95067327674b3752b6166e631e6c0c54 2010.0/x86_64/lib64expat1-2.0.1-10.2mdv2010.0.x86_64.rpm
9d327cfab29a197b2f2910259ca1f421 2010.0/x86_64/lib64expat1-devel-2.0.1-10.2mdv2010.0.x86_64.rpm
91c4034ba57643ad09893ee550b124fb 2010.0/SRPMS/expat-2.0.1-10.2mdv2010.0.src.rpm
Mandriva Enterprise Server 5:
0c1e5ed2e68540b127707df985eaa9b2 mes5/i586/expat-2.0.1-7.3mdvmes5.i586.rpm
969c2c861d178394615eba9bd786a2d1 mes5/i586/libexpat1-2.0.1-7.3mdvmes5.i586.rpm
4668e05cf61f067112e4c55f2c864f76 mes5/i586/libexpat1-devel-2.0.1-7.3mdvmes5.i586.rpm
cb94fe0c73aa6140abcf05b277a438d2 mes5/SRPMS/expat-2.0.1-7.3mdvmes5.src.rpm
Mandriva Enterprise Server 5/X86_64:
5a1624a1c856992f50a38efa739f5987 mes5/x86_64/expat-2.0.1-7.3mdvmes5.x86_64.rpm
bfb6d7058cf6d4930db4362576839281 mes5/x86_64/lib64expat1-2.0.1-7.3mdvmes5.x86_64.rpm
b314bdc8eabfb001be798e0a382996f3 mes5/x86_64/lib64expat1-devel-2.0.1-7.3mdvmes5.x86_64.rpm
cb94fe0c73aa6140abcf05b277a438d2 mes5/SRPMS/expat-2.0.1-7.3mdvmes5.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFLSa6LmqjQ0CJFipgRAismAJwNAoq62MoQe6algI6ORpj32M13EQCfSyOt
LnDKMlnXZBjDtSA1Vggis7E=
=TrDH
-----END PGP SIGNATURE-----
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed