Your submission was sent successfully! Close

CVE-2019-15903

Published: 4 September 2019

In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early; a consecutive call to XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber) then resulted in a heap-based buffer over-read.

Priority

Medium

CVSS 3 base score: 7.5

Status

Package Release Status
apache2
Launchpad, Ubuntu, Debian
bionic Not vulnerable
(code-not-compiled)
disco Not vulnerable
(code-not-compiled)
eoan Not vulnerable
(code-not-compiled)
focal Not vulnerable
(code-not-compiled)
groovy Not vulnerable
(code-not-compiled)
hirsute Not vulnerable
(code-not-compiled)
impish Not vulnerable
(code-not-compiled)
jammy Not vulnerable
(code-not-compiled)
precise Not vulnerable
(code-not-compiled)
trusty Not vulnerable
(code-not-compiled)
upstream Needs triage

xenial Not vulnerable
(code-not-compiled)
apr-util
Launchpad, Ubuntu, Debian
bionic Not vulnerable
(code-not-compiled)
disco Not vulnerable
(code-not-compiled)
eoan Not vulnerable
(code-not-compiled)
focal Not vulnerable
(code-not-compiled)
groovy Not vulnerable
(code-not-compiled)
hirsute Not vulnerable
(code-not-compiled)
impish Not vulnerable
(code-not-compiled)
jammy Not vulnerable
(code-not-compiled)
precise Not vulnerable
(code-not-compiled)
trusty Not vulnerable
(code-not-compiled)
upstream Needs triage

xenial Not vulnerable
(code-not-compiled)
audacity
Launchpad, Ubuntu, Debian
bionic Not vulnerable
(uses system expat)
disco Not vulnerable
(uses system expat)
eoan Not vulnerable
(uses system expat)
focal Not vulnerable
(uses system expat)
groovy Not vulnerable
(uses system expat)
hirsute Not vulnerable
(uses system expat)
impish Not vulnerable
(uses system expat)
jammy Not vulnerable
(uses system expat)
precise Does not exist

trusty Does not exist

upstream Needs triage

xenial Not vulnerable
(uses system expat)
ayttm
Launchpad, Ubuntu, Debian
bionic Does not exist

disco Does not exist

eoan Does not exist

focal Does not exist

groovy Does not exist

hirsute Does not exist

impish Does not exist

jammy Does not exist

precise Does not exist

trusty Does not exist

upstream Needs triage

xenial Ignored
(end of standard support, was needs-triage)
cableswig
Launchpad, Ubuntu, Debian
bionic Does not exist

disco Does not exist

eoan Does not exist

focal Does not exist

groovy Does not exist

hirsute Does not exist

impish Does not exist

jammy Does not exist

precise Does not exist

trusty Does not exist

upstream Needs triage

xenial Ignored
(end of standard support, was needs-triage)
cadaver
Launchpad, Ubuntu, Debian
bionic Needs triage

disco Ignored
(reached end-of-life)
eoan Ignored
(reached end-of-life)
focal Needs triage

groovy Ignored
(reached end-of-life)
hirsute Ignored
(reached end-of-life)
impish Needs triage

jammy Needs triage

precise Does not exist

trusty Does not exist

upstream Needs triage

xenial Ignored
(end of standard support, was needs-triage)
chromium-browser
Launchpad, Ubuntu, Debian
bionic
Released (78.0.3904.70-0ubuntu0.18.04.2)
disco
Released (78.0.3904.70-0ubuntu0.19.04.4)
eoan
Released (79.0.3945.79-0ubuntu0.19.10.2)
focal
Released (78.0.3904.70-0ubuntu1)
groovy
Released (78.0.3904.70-0ubuntu1)
hirsute
Released (78.0.3904.70-0ubuntu1)
impish
Released (78.0.3904.70-0ubuntu1)
jammy
Released (78.0.3904.70-0ubuntu1)
precise Does not exist

trusty Does not exist

upstream
Released (78.0.3904.70)
xenial
Released (78.0.3904.70-0ubuntu0.16.04.2)
cmake
Launchpad, Ubuntu, Debian
bionic Not vulnerable
(code-not-compiled)
disco Not vulnerable
(code-not-compiled)
eoan Not vulnerable
(code-not-compiled)
focal Not vulnerable
(code-not-compiled)
groovy Not vulnerable
(code-not-compiled)
hirsute Not vulnerable
(code-not-compiled)
impish Not vulnerable
(code-not-compiled)
jammy Not vulnerable
(code-not-compiled)
precise Does not exist

trusty Does not exist

upstream Needs triage

xenial Not vulnerable
(code-not-compiled)
coin3
Launchpad, Ubuntu, Debian
bionic Needed

disco Ignored
(reached end-of-life)
eoan Ignored
(reached end-of-life)
focal Not vulnerable
(uses system expat)
groovy Ignored
(reached end-of-life)
hirsute Not vulnerable
(uses system expat)
impish Not vulnerable
(uses system expat)
jammy Not vulnerable
(uses system expat)
precise Does not exist

trusty Needed

upstream Needs triage

xenial Ignored
(end of standard support, was needed)
expat
Launchpad, Ubuntu, Debian
bionic
Released (2.2.5-3ubuntu0.2)
disco
Released (2.2.6-1ubuntu0.19.5)
eoan Not vulnerable
(2.2.7-2)
focal Not vulnerable
(2.2.7-2)
groovy Not vulnerable
(2.2.7-2)
hirsute Not vulnerable
(2.2.7-2)
impish Not vulnerable
(2.2.7-2)
jammy Not vulnerable
(2.2.7-2)
precise
Released (2.0.1-7.2ubuntu1.7)
trusty
Released (2.1.0-4ubuntu1.4+esm2)
upstream
Released (2.1.0-6+deb8u6, 2.2.7-2)
xenial
Released (2.1.0-7ubuntu0.16.04.5)
firefox
Launchpad, Ubuntu, Debian
bionic
Released (70.0+build2-0ubuntu0.18.04.1)
disco
Released (70.0+build2-0ubuntu0.19.04.1)
eoan
Released (70.0+build2-0ubuntu0.19.10.1)
focal
Released (70.0+build2-0ubuntu1)
groovy
Released (70.0+build2-0ubuntu1)
hirsute
Released (70.0+build2-0ubuntu1)
impish
Released (70.0+build2-0ubuntu1)
jammy
Released (70.0+build2-0ubuntu1)
precise Does not exist

trusty Does not exist

upstream
Released (70.0)
xenial
Released (70.0+build2-0ubuntu0.16.04.1)
gdcm
Launchpad, Ubuntu, Debian
bionic Not vulnerable
(uses system expat)
disco Not vulnerable
(uses system expat)
eoan Not vulnerable
(uses system expat)
focal Not vulnerable
(uses system expat)
groovy Not vulnerable
(uses system expat)
hirsute Not vulnerable
(uses system expat)
impish Not vulnerable
(uses system expat)
jammy Not vulnerable
(uses system expat)
precise Does not exist

trusty Not vulnerable
(uses system expat)
upstream Needs triage

xenial Not vulnerable
(uses system expat)
ghostscript
Launchpad, Ubuntu, Debian
bionic Not vulnerable
(code-not-compiled)
disco Not vulnerable
(code-not-compiled)
eoan Not vulnerable
(code-not-compiled)
focal Not vulnerable
(code-not-compiled)
groovy Not vulnerable
(code-not-compiled)
hirsute Not vulnerable
(code-not-compiled)
impish Not vulnerable
(code-not-compiled)
jammy Not vulnerable
(code-not-compiled)
precise Does not exist

trusty Does not exist

upstream Needs triage

xenial Not vulnerable
(code-not-compiled)
insighttoolkit
Launchpad, Ubuntu, Debian
bionic Does not exist

disco Does not exist

eoan Does not exist

focal Does not exist

groovy Does not exist

hirsute Does not exist

impish Does not exist

jammy Does not exist

precise Does not exist

trusty Does not exist

upstream Needs triage

xenial Ignored
(end of standard support, was needs-triage)
insighttoolkit4
Launchpad, Ubuntu, Debian
bionic Needs triage

disco Ignored
(reached end-of-life)
eoan Ignored
(reached end-of-life)
focal Needs triage

groovy Ignored
(reached end-of-life)
hirsute Ignored
(reached end-of-life)
impish Needs triage

jammy Needs triage

precise Does not exist

trusty Does not exist

upstream Needs triage

xenial Ignored
(end of standard support, was needs-triage)
kompozer
Launchpad, Ubuntu, Debian
bionic Does not exist

disco Does not exist

eoan Does not exist

focal Does not exist

groovy Does not exist

hirsute Does not exist

impish Does not exist

jammy Does not exist

precise Does not exist

trusty Does not exist

upstream Needs triage

xenial Does not exist

libparagui1.1
Launchpad, Ubuntu, Debian
bionic Does not exist

disco Does not exist

eoan Does not exist

focal Does not exist

groovy Does not exist

hirsute Does not exist

impish Does not exist

jammy Does not exist

precise Does not exist

trusty Does not exist

upstream Needs triage

xenial Does not exist

matanza
Launchpad, Ubuntu, Debian
bionic Needs triage

disco Ignored
(reached end-of-life)
eoan Ignored
(reached end-of-life)
focal Needs triage

groovy Ignored
(reached end-of-life)
hirsute Ignored
(reached end-of-life)
impish Needs triage

jammy Needs triage

precise Does not exist

trusty Does not exist

upstream Needs triage

xenial Ignored
(end of standard support, was needs-triage)
poco
Launchpad, Ubuntu, Debian
bionic Not vulnerable
(uses system expat)
disco Not vulnerable
(uses system expat)
eoan Not vulnerable
(uses system expat)
focal Not vulnerable
(uses system expat)
groovy Not vulnerable
(uses system expat)
hirsute Not vulnerable
(uses system expat)
impish Not vulnerable
(uses system expat)
jammy Not vulnerable
(uses system expat)
precise Does not exist

trusty Not vulnerable
(uses system expat)
upstream Needs triage

xenial Not vulnerable
(uses system expat)
simgear
Launchpad, Ubuntu, Debian
bionic Not vulnerable
(uses system expat)
disco Not vulnerable
(uses system expat)
eoan Not vulnerable
(uses system expat)
focal Not vulnerable
(uses system expat)
groovy Not vulnerable
(uses system expat)
hirsute Not vulnerable
(uses system expat)
impish Not vulnerable
(uses system expat)
jammy Not vulnerable
(uses system expat)
precise Does not exist

trusty Does not exist

upstream Needs triage

xenial Not vulnerable
(uses system expat)
sitecopy
Launchpad, Ubuntu, Debian
bionic Needs triage

disco Ignored
(reached end-of-life)
eoan Ignored
(reached end-of-life)
focal Needs triage

groovy Ignored
(reached end-of-life)
hirsute Ignored
(reached end-of-life)
impish Needs triage

jammy Needs triage

precise Does not exist

trusty Does not exist

upstream Needs triage

xenial Ignored
(end of standard support, was needs-triage)
smart
Launchpad, Ubuntu, Debian
bionic Not vulnerable
(code-not-compiled)
disco Not vulnerable
(code-not-compiled)
eoan Not vulnerable
(code-not-compiled)
focal Does not exist

groovy Does not exist

hirsute Does not exist

impish Does not exist

jammy Does not exist

precise Does not exist

trusty Does not exist

upstream Needs triage

xenial Not vulnerable
(code-not-compiled)
swish-e
Launchpad, Ubuntu, Debian
bionic Needs triage

disco Ignored
(reached end-of-life)
eoan Ignored
(reached end-of-life)
focal Needs triage

groovy Ignored
(reached end-of-life)
hirsute Ignored
(reached end-of-life)
impish Needs triage

jammy Needs triage

precise Does not exist

trusty Does not exist

upstream Needs triage

xenial Ignored
(end of standard support, was needs-triage)
tdom
Launchpad, Ubuntu, Debian
bionic Needs triage

disco Ignored
(reached end-of-life)
eoan Ignored
(reached end-of-life)
focal Needs triage

groovy Ignored
(reached end-of-life)
hirsute Ignored
(reached end-of-life)
impish Needs triage

jammy Needs triage

precise Does not exist

trusty Does not exist

upstream Needs triage

xenial Ignored
(end of standard support, was needs-triage)
texlive-bin
Launchpad, Ubuntu, Debian
bionic Not vulnerable
(code-not-compiled)
disco Not vulnerable
(code-not-compiled)
eoan Not vulnerable
(code-not-compiled)
focal Not vulnerable
(code-not-compiled)
groovy Not vulnerable
(code-not-compiled)
hirsute Not vulnerable
(code-not-compiled)
impish Not vulnerable
(code-not-compiled)
jammy Not vulnerable
(code-not-compiled)
precise Does not exist

trusty Does not exist

upstream Needs triage

xenial Not vulnerable
(code-not-compiled)
thunderbird
Launchpad, Ubuntu, Debian
bionic
Released (1:68.2.1+build1-0ubuntu0.18.04.1)
disco Ignored
(reached end-of-life)
eoan
Released (1:68.2.1+build1-0ubuntu0.19.10.1)
focal
Released (1:68.2.0+build1.1-0ubuntu1)
groovy
Released (1:68.2.0+build1.1-0ubuntu1)
hirsute
Released (1:68.2.0+build1.1-0ubuntu1)
impish
Released (1:68.2.0+build1.1-0ubuntu1)
jammy
Released (1:68.2.0+build1.1-0ubuntu1)
precise Does not exist

trusty Does not exist

upstream
Released (68.2)
xenial
Released (1:68.7.0+build1-0ubuntu0.16.04.2)
vnc4
Launchpad, Ubuntu, Debian
bionic Needed

disco Not vulnerable
(code not present)
eoan Not vulnerable
(code not present)
focal Does not exist

groovy Does not exist

hirsute Does not exist

impish Does not exist

jammy Does not exist

precise Does not exist

trusty Needed

upstream Needs triage

xenial Ignored
(end of standard support, was needed)
vtk
Launchpad, Ubuntu, Debian
bionic Does not exist

disco Does not exist

eoan Does not exist

focal Does not exist

groovy Does not exist

hirsute Does not exist

impish Does not exist

jammy Does not exist

precise Does not exist

trusty Does not exist

upstream Needs triage

xenial Ignored
(end of standard support, was needed)
wbxml2
Launchpad, Ubuntu, Debian
bionic Needs triage

disco Ignored
(reached end-of-life)
eoan Ignored
(reached end-of-life)
focal Needs triage

groovy Ignored
(reached end-of-life)
hirsute Ignored
(reached end-of-life)
impish Needs triage

jammy Needs triage

precise Does not exist

trusty Does not exist

upstream Needs triage

xenial Ignored
(end of standard support, was needs-triage)
wxwidgets2.8
Launchpad, Ubuntu, Debian
bionic Does not exist

disco Does not exist

eoan Does not exist

focal Does not exist

groovy Does not exist

hirsute Does not exist

impish Does not exist

jammy Does not exist

precise Does not exist

trusty Does not exist

upstream Needs triage

xenial Does not exist

xmlrpc-c
Launchpad, Ubuntu, Debian
bionic Needed

disco Ignored
(reached end-of-life)
eoan Ignored
(reached end-of-life)
focal Needed

groovy Ignored
(reached end-of-life)
hirsute Ignored
(reached end-of-life)
impish Needed

jammy Needed

precise Does not exist

trusty Needed

upstream Needed

xenial Ignored
(end of standard support, was needed)