CVE-2009-3720

Published: 03 November 2009

The updatePosition function in lib/xmltok_impl.c in libexpat in Expat 2.0.1, as used in Python, PyXML, w3c-libwww, and other software, allows context-dependent attackers to cause a denial of service (application crash) via an XML document with crafted UTF-8 sequences that trigger a buffer over-read, a different vulnerability than CVE-2009-2625.

Priority

Low

Status

Package Release Status
expat
Launchpad, Ubuntu, Debian
Upstream
Released (2.0.1-5)
Ubuntu 21.04 (Hirsute Hippo)
Released (2.0.1-7ubuntu1)
Ubuntu 20.10 (Groovy Gorilla)
Released (2.0.1-7ubuntu1)
Ubuntu 20.04 LTS (Focal Fossa)
Released (2.0.1-7ubuntu1)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (2.0.1-7ubuntu1)
Ubuntu 16.04 LTS (Xenial Xerus)
Released (2.0.1-7ubuntu1)
Ubuntu 14.04 ESM (Trusty Tahr)
Released (2.0.1-7ubuntu1)
Patches:
Upstream: http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmltok_impl.c?r1=1.13&r2=1.15&view=patch
apache2
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo) Not vulnerable
(code-not-compiled)
Ubuntu 20.10 (Groovy Gorilla) Not vulnerable
(code-not-compiled)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(code-not-compiled)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(code-not-compiled)
Ubuntu 16.04 LTS (Xenial Xerus) Not vulnerable
(code-not-compiled)
Ubuntu 14.04 ESM (Trusty Tahr) Not vulnerable
(code-not-compiled)
apr-util
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo) Not vulnerable
(code-not-compiled)
Ubuntu 20.10 (Groovy Gorilla) Not vulnerable
(code-not-compiled)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(code-not-compiled)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(code-not-compiled)
Ubuntu 16.04 LTS (Xenial Xerus) Not vulnerable
(code-not-compiled)
Ubuntu 14.04 ESM (Trusty Tahr) Not vulnerable
(code-not-compiled)
cmake
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo) Not vulnerable
(code-not-compiled)
Ubuntu 20.10 (Groovy Gorilla) Not vulnerable
(code-not-compiled)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(code-not-compiled)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(code-not-compiled)
Ubuntu 16.04 LTS (Xenial Xerus) Not vulnerable
(code-not-compiled)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was ignored [code-not-compiled])
ghostscript
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo) Not vulnerable
(code-not-compiled)
Ubuntu 20.10 (Groovy Gorilla) Not vulnerable
(code-not-compiled)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(code-not-compiled)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(code-not-compiled)
Ubuntu 16.04 LTS (Xenial Xerus) Not vulnerable
(code-not-compiled)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was ignored [code-not-compiled])
python2.6
Launchpad, Ubuntu, Debian
Upstream
Released (2.6.4)
Ubuntu 21.04 (Hirsute Hippo) Does not exist

Ubuntu 20.10 (Groovy Gorilla) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 LTS (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

python2.5
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo) Does not exist

Ubuntu 20.10 (Groovy Gorilla) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 LTS (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

celementtree
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo) Does not exist

Ubuntu 20.10 (Groovy Gorilla) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 LTS (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

python2.4
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo) Does not exist

Ubuntu 20.10 (Groovy Gorilla) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 LTS (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

python-xml
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo) Does not exist

Ubuntu 20.10 (Groovy Gorilla) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 LTS (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

smart
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo) Does not exist

Ubuntu 20.10 (Groovy Gorilla) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(code-not-compiled)
Ubuntu 16.04 LTS (Xenial Xerus) Not vulnerable
(code-not-compiled)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was ignored [code-not-compiled])
texlive-bin
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo) Not vulnerable
(code-not-compiled)
Ubuntu 20.10 (Groovy Gorilla) Not vulnerable
(code-not-compiled)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(code-not-compiled)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(code-not-compiled)
Ubuntu 16.04 LTS (Xenial Xerus) Not vulnerable
(code-not-compiled)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was ignored [code-not-compiled])
xmlrpc-c
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo)
Released (1.06.27-1ubuntu7)
Ubuntu 20.10 (Groovy Gorilla)
Released (1.06.27-1ubuntu7)
Ubuntu 20.04 LTS (Focal Fossa)
Released (1.06.27-1ubuntu7)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (1.06.27-1ubuntu7)
Ubuntu 16.04 LTS (Xenial Xerus)
Released (1.06.27-1ubuntu7)
Ubuntu 14.04 ESM (Trusty Tahr)
Released (1.06.27-1ubuntu7)
wxwidgets2.8
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo) Does not exist

Ubuntu 20.10 (Groovy Gorilla) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 LTS (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was not-affected [uses system expat])
paraview
Launchpad, Ubuntu, Debian
Upstream
Released (3.6.2-1)
Ubuntu 21.04 (Hirsute Hippo) Does not exist

Ubuntu 20.10 (Groovy Gorilla) Not vulnerable
(3.8.1-1ubuntu1)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(3.8.1-1ubuntu1)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(3.8.1-1ubuntu1)
Ubuntu 16.04 LTS (Xenial Xerus) Not vulnerable
(3.8.1-1ubuntu1)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was not-affected [3.8.1-1ubuntu1])
wxwidgets2.6
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo) Does not exist

Ubuntu 20.10 (Groovy Gorilla) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 LTS (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

vnc4
Launchpad, Ubuntu, Debian
Upstream Not vulnerable

Ubuntu 21.04 (Hirsute Hippo) Does not exist

Ubuntu 20.10 (Groovy Gorilla) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable

Ubuntu 16.04 LTS (Xenial Xerus) Not vulnerable

Ubuntu 14.04 ESM (Trusty Tahr) Not vulnerable

xotcl
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo) Needs triage

Ubuntu 20.10 (Groovy Gorilla) Needs triage

Ubuntu 20.04 LTS (Focal Fossa) Needs triage

Ubuntu 18.04 LTS (Bionic Beaver) Needs triage

Ubuntu 16.04 LTS (Xenial Xerus) Needs triage

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was needs-triage)
w3c-libwww
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo) Does not exist

Ubuntu 20.10 (Groovy Gorilla) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 LTS (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

tla
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo) Not vulnerable
(uses system expat)
Ubuntu 20.10 (Groovy Gorilla) Not vulnerable
(uses system expat)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(uses system expat)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(uses system expat)
Ubuntu 16.04 LTS (Xenial Xerus) Not vulnerable
(uses system expat)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was needs-triage)
poco
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo) Not vulnerable
(uses system expat)
Ubuntu 20.10 (Groovy Gorilla) Not vulnerable
(uses system expat)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(uses system expat)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(uses system expat)
Ubuntu 16.04 LTS (Xenial Xerus) Not vulnerable
(uses system expat)
Ubuntu 14.04 ESM (Trusty Tahr) Not vulnerable
(uses system expat)
xulrunner
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo) Does not exist

Ubuntu 20.10 (Groovy Gorilla) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 LTS (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

sitecopy
Launchpad, Ubuntu, Debian
Upstream Not vulnerable
(uses system expat)
Ubuntu 21.04 (Hirsute Hippo) Not vulnerable
(uses system expat)
Ubuntu 20.10 (Groovy Gorilla) Not vulnerable
(uses system expat)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(uses system expat)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(uses system expat)
Ubuntu 16.04 LTS (Xenial Xerus) Not vulnerable
(uses system expat)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was needs-triage)
libparagui1.1
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo) Does not exist

Ubuntu 20.10 (Groovy Gorilla) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 LTS (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

wbxml2
Launchpad, Ubuntu, Debian
Upstream Not vulnerable
(uses system expat)
Ubuntu 21.04 (Hirsute Hippo) Not vulnerable
(uses system expat)
Ubuntu 20.10 (Groovy Gorilla) Not vulnerable
(uses system expat)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(uses system expat)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(uses system expat)
Ubuntu 16.04 LTS (Xenial Xerus) Not vulnerable
(uses system expat)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was needs-triage)
swish-e
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo) Needs triage

Ubuntu 20.10 (Groovy Gorilla) Needs triage

Ubuntu 20.04 LTS (Focal Fossa) Needs triage

Ubuntu 18.04 LTS (Bionic Beaver) Needs triage

Ubuntu 16.04 LTS (Xenial Xerus) Needs triage

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was needs-triage)
kompozer
Launchpad, Ubuntu, Debian
Upstream
Released (1:0.8~b1-2)
Ubuntu 21.04 (Hirsute Hippo) Does not exist

Ubuntu 20.10 (Groovy Gorilla) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 LTS (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

insighttoolkit
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo) Does not exist

Ubuntu 20.10 (Groovy Gorilla) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 LTS (Xenial Xerus) Needs triage

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was needs-triage)
cadaver
Launchpad, Ubuntu, Debian
Upstream Needed

Ubuntu 21.04 (Hirsute Hippo) Needed

Ubuntu 20.10 (Groovy Gorilla) Needed

Ubuntu 20.04 LTS (Focal Fossa) Needed

Ubuntu 18.04 LTS (Bionic Beaver) Needed

Ubuntu 16.04 LTS (Xenial Xerus) Needed

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was needed)
wxwindows2.4
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo) Does not exist

Ubuntu 20.10 (Groovy Gorilla) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 LTS (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

gdcm
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo) Not vulnerable
(uses system expat)
Ubuntu 20.10 (Groovy Gorilla) Not vulnerable
(uses system expat)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(uses system expat)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(uses system expat)
Ubuntu 16.04 LTS (Xenial Xerus) Not vulnerable
(uses system expat)
Ubuntu 14.04 ESM (Trusty Tahr) Not vulnerable
(uses system expat)
ayttm
Launchpad, Ubuntu, Debian
Upstream
Released (0.6.1-2)
Ubuntu 21.04 (Hirsute Hippo) Does not exist

Ubuntu 20.10 (Groovy Gorilla) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 LTS (Xenial Xerus) Not vulnerable
(0.6.1-2)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was not-affected [0.6.1-2])
cableswig
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo) Does not exist

Ubuntu 20.10 (Groovy Gorilla) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 LTS (Xenial Xerus) Needs triage

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was needs-triage)
grmonitor
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo) Does not exist

Ubuntu 20.10 (Groovy Gorilla) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 LTS (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

coin3
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo) Needed

Ubuntu 20.10 (Groovy Gorilla) Needed

Ubuntu 20.04 LTS (Focal Fossa) Needed

Ubuntu 18.04 LTS (Bionic Beaver) Needed

Ubuntu 16.04 LTS (Xenial Xerus) Needed

Ubuntu 14.04 ESM (Trusty Tahr) Needed

simgear
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo) Not vulnerable
(uses system expat)
Ubuntu 20.10 (Groovy Gorilla) Not vulnerable
(uses system expat)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(uses system expat)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(uses system expat)
Ubuntu 16.04 LTS (Xenial Xerus) Not vulnerable
(uses system expat)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was not-affected [uses system expat])
audacity
Launchpad, Ubuntu, Debian
Upstream Not vulnerable
(uses system expat)
Ubuntu 21.04 (Hirsute Hippo) Not vulnerable
(uses system expat)
Ubuntu 20.10 (Groovy Gorilla) Not vulnerable
(uses system expat)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(uses system expat)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(uses system expat)
Ubuntu 16.04 LTS (Xenial Xerus) Not vulnerable
(uses system expat)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was not-affected [uses system expat])
matanza
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo) Needs triage

Ubuntu 20.10 (Groovy Gorilla) Needs triage

Ubuntu 20.04 LTS (Focal Fossa) Needs triage

Ubuntu 18.04 LTS (Bionic Beaver) Needs triage

Ubuntu 16.04 LTS (Xenial Xerus) Needs triage

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was needs-triage)
tdom
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo) Not vulnerable
(uses system expat)
Ubuntu 20.10 (Groovy Gorilla) Not vulnerable
(uses system expat)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(uses system expat)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(uses system expat)
Ubuntu 16.04 LTS (Xenial Xerus) Not vulnerable
(uses system expat)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was needs-triage)
vtk
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo) Does not exist

Ubuntu 20.10 (Groovy Gorilla) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 LTS (Xenial Xerus) Not vulnerable
(uses system expat)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was not-affected [uses system expat])

Notes

AuthorNote
jdstrand
both this and CVE-2009-2625 refer to the same expat bug:
#1990430. See http://www.openwall.com/lists/oss-security/2009/09/06/1
This CVE was later assigned to the same issue, since CVE-2009-2625 was worded
as a Java vulnerability. Our USN references CVE-2009-2625 and this CVE will
be ignored (for expat).
jdstrand provided updates in supported releases for expat, xmlrpc-c,
cmake, python-xml, python2.4, and python2.5
ebarretto
this is not an issue for vnc4, for more information see:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=560949

References

Bugs