CVE-2019-15903

Published: 04 September 2019

In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early; a consecutive call to XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber) then resulted in a heap-based buffer over-read.

From the Ubuntu security team

A heap overflow was discovered in the expat library in XXX-PACKAGE-NAME-HERE-XXX. If a user were tricked into opening a specially crafted XML file, an attacker could potentially exploit this to cause a denial of service or execute arbitrary code.

Priority

Medium

CVSS 3 base score: 7.5

Status

Package Release Status
apache2
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo) Not vulnerable
(code-not-compiled)
Ubuntu 20.10 (Groovy Gorilla) Not vulnerable
(code-not-compiled)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(code-not-compiled)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(code-not-compiled)
Ubuntu 16.04 LTS (Xenial Xerus) Not vulnerable
(code-not-compiled)
Ubuntu 14.04 ESM (Trusty Tahr) Not vulnerable
(code-not-compiled)
apr-util
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo) Not vulnerable
(code-not-compiled)
Ubuntu 20.10 (Groovy Gorilla) Not vulnerable
(code-not-compiled)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(code-not-compiled)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(code-not-compiled)
Ubuntu 16.04 LTS (Xenial Xerus) Not vulnerable
(code-not-compiled)
Ubuntu 14.04 ESM (Trusty Tahr) Not vulnerable
(code-not-compiled)
audacity
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo) Not vulnerable
(uses system expat)
Ubuntu 20.10 (Groovy Gorilla) Not vulnerable
(uses system expat)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(uses system expat)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(uses system expat)
Ubuntu 16.04 LTS (Xenial Xerus) Not vulnerable
(uses system expat)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

ayttm
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo) Does not exist

Ubuntu 20.10 (Groovy Gorilla) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 LTS (Xenial Xerus) Needs triage

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

cableswig
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo) Does not exist

Ubuntu 20.10 (Groovy Gorilla) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 LTS (Xenial Xerus) Needs triage

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

cadaver
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo) Needs triage

Ubuntu 20.10 (Groovy Gorilla) Needs triage

Ubuntu 20.04 LTS (Focal Fossa) Needs triage

Ubuntu 18.04 LTS (Bionic Beaver) Needs triage

Ubuntu 16.04 LTS (Xenial Xerus) Needs triage

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

chromium-browser
Launchpad, Ubuntu, Debian
Upstream
Released (78.0.3904.70)
Ubuntu 21.04 (Hirsute Hippo)
Released (78.0.3904.70-0ubuntu1)
Ubuntu 20.10 (Groovy Gorilla)
Released (78.0.3904.70-0ubuntu1)
Ubuntu 20.04 LTS (Focal Fossa)
Released (78.0.3904.70-0ubuntu1)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (78.0.3904.70-0ubuntu0.18.04.2)
Ubuntu 16.04 LTS (Xenial Xerus)
Released (78.0.3904.70-0ubuntu0.16.04.2)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

cmake
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo) Not vulnerable
(code-not-compiled)
Ubuntu 20.10 (Groovy Gorilla) Not vulnerable
(code-not-compiled)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(code-not-compiled)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(code-not-compiled)
Ubuntu 16.04 LTS (Xenial Xerus) Not vulnerable
(code-not-compiled)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

coin3
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo) Needed

Ubuntu 20.10 (Groovy Gorilla) Needed

Ubuntu 20.04 LTS (Focal Fossa) Needed

Ubuntu 18.04 LTS (Bionic Beaver) Needed

Ubuntu 16.04 LTS (Xenial Xerus) Needed

Ubuntu 14.04 ESM (Trusty Tahr) Needed

expat
Launchpad, Ubuntu, Debian
Upstream
Released (2.1.0-6+deb8u6, 2.2.7-2)
Ubuntu 21.04 (Hirsute Hippo) Not vulnerable
(2.2.7-2)
Ubuntu 20.10 (Groovy Gorilla) Not vulnerable
(2.2.7-2)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(2.2.7-2)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (2.2.5-3ubuntu0.2)
Ubuntu 16.04 LTS (Xenial Xerus)
Released (2.1.0-7ubuntu0.16.04.5)
Ubuntu 14.04 ESM (Trusty Tahr)
Released (2.1.0-4ubuntu1.4+esm2)
firefox
Launchpad, Ubuntu, Debian
Upstream
Released (70.0)
Ubuntu 21.04 (Hirsute Hippo)
Released (70.0+build2-0ubuntu1)
Ubuntu 20.10 (Groovy Gorilla)
Released (70.0+build2-0ubuntu1)
Ubuntu 20.04 LTS (Focal Fossa)
Released (70.0+build2-0ubuntu1)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (70.0+build2-0ubuntu0.18.04.1)
Ubuntu 16.04 LTS (Xenial Xerus)
Released (70.0+build2-0ubuntu0.16.04.1)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

gdcm
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo) Not vulnerable
(uses system expat)
Ubuntu 20.10 (Groovy Gorilla) Not vulnerable
(uses system expat)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(uses system expat)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(uses system expat)
Ubuntu 16.04 LTS (Xenial Xerus) Not vulnerable
(uses system expat)
Ubuntu 14.04 ESM (Trusty Tahr) Not vulnerable
(uses system expat)
ghostscript
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo) Not vulnerable
(code-not-compiled)
Ubuntu 20.10 (Groovy Gorilla) Not vulnerable
(code-not-compiled)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(code-not-compiled)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(code-not-compiled)
Ubuntu 16.04 LTS (Xenial Xerus) Not vulnerable
(code-not-compiled)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

insighttoolkit
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo) Does not exist

Ubuntu 20.10 (Groovy Gorilla) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 LTS (Xenial Xerus) Needs triage

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

insighttoolkit4
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo) Needs triage

Ubuntu 20.10 (Groovy Gorilla) Needs triage

Ubuntu 20.04 LTS (Focal Fossa) Needs triage

Ubuntu 18.04 LTS (Bionic Beaver) Needs triage

Ubuntu 16.04 LTS (Xenial Xerus) Needs triage

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

kompozer
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo) Does not exist

Ubuntu 20.10 (Groovy Gorilla) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 LTS (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

libparagui1.1
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo) Does not exist

Ubuntu 20.10 (Groovy Gorilla) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 LTS (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

matanza
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo) Needs triage

Ubuntu 20.10 (Groovy Gorilla) Needs triage

Ubuntu 20.04 LTS (Focal Fossa) Needs triage

Ubuntu 18.04 LTS (Bionic Beaver) Needs triage

Ubuntu 16.04 LTS (Xenial Xerus) Needs triage

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

paraview
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo) Does not exist

Ubuntu 20.10 (Groovy Gorilla) Not vulnerable
(uses system expat)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(uses system expat)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(uses system expat)
Ubuntu 16.04 LTS (Xenial Xerus) Not vulnerable
(uses system expat)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

poco
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo) Not vulnerable
(uses system expat)
Ubuntu 20.10 (Groovy Gorilla) Not vulnerable
(uses system expat)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(uses system expat)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(uses system expat)
Ubuntu 16.04 LTS (Xenial Xerus) Not vulnerable
(uses system expat)
Ubuntu 14.04 ESM (Trusty Tahr) Not vulnerable
(uses system expat)
simgear
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo) Not vulnerable
(uses system expat)
Ubuntu 20.10 (Groovy Gorilla) Not vulnerable
(uses system expat)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(uses system expat)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(uses system expat)
Ubuntu 16.04 LTS (Xenial Xerus) Not vulnerable
(uses system expat)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

sitecopy
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo) Needs triage

Ubuntu 20.10 (Groovy Gorilla) Needs triage

Ubuntu 20.04 LTS (Focal Fossa) Needs triage

Ubuntu 18.04 LTS (Bionic Beaver) Needs triage

Ubuntu 16.04 LTS (Xenial Xerus) Needs triage

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

smart
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo) Does not exist

Ubuntu 20.10 (Groovy Gorilla) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(code-not-compiled)
Ubuntu 16.04 LTS (Xenial Xerus) Not vulnerable
(code-not-compiled)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

swish-e
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo) Needs triage

Ubuntu 20.10 (Groovy Gorilla) Needs triage

Ubuntu 20.04 LTS (Focal Fossa) Needs triage

Ubuntu 18.04 LTS (Bionic Beaver) Needs triage

Ubuntu 16.04 LTS (Xenial Xerus) Needs triage

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

tdom
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo) Needs triage

Ubuntu 20.10 (Groovy Gorilla) Needs triage

Ubuntu 20.04 LTS (Focal Fossa) Needs triage

Ubuntu 18.04 LTS (Bionic Beaver) Needs triage

Ubuntu 16.04 LTS (Xenial Xerus) Needs triage

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

texlive-bin
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo) Not vulnerable
(code-not-compiled)
Ubuntu 20.10 (Groovy Gorilla) Not vulnerable
(code-not-compiled)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(code-not-compiled)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(code-not-compiled)
Ubuntu 16.04 LTS (Xenial Xerus) Not vulnerable
(code-not-compiled)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

thunderbird
Launchpad, Ubuntu, Debian
Upstream
Released (68.2)
Ubuntu 21.04 (Hirsute Hippo)
Released (1:68.2.0+build1.1-0ubuntu1)
Ubuntu 20.10 (Groovy Gorilla)
Released (1:68.2.0+build1.1-0ubuntu1)
Ubuntu 20.04 LTS (Focal Fossa)
Released (1:68.2.0+build1.1-0ubuntu1)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (1:68.2.1+build1-0ubuntu0.18.04.1)
Ubuntu 16.04 LTS (Xenial Xerus)
Released (1:68.7.0+build1-0ubuntu0.16.04.2)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

vnc4
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo) Does not exist

Ubuntu 20.10 (Groovy Gorilla) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Needed

Ubuntu 16.04 LTS (Xenial Xerus) Needed

Ubuntu 14.04 ESM (Trusty Tahr) Needed

vtk
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo) Does not exist

Ubuntu 20.10 (Groovy Gorilla) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 LTS (Xenial Xerus) Needed

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

wbxml2
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo) Needs triage

Ubuntu 20.10 (Groovy Gorilla) Needs triage

Ubuntu 20.04 LTS (Focal Fossa) Needs triage

Ubuntu 18.04 LTS (Bionic Beaver) Needs triage

Ubuntu 16.04 LTS (Xenial Xerus) Needs triage

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

wxwidgets2.6
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo) Does not exist

Ubuntu 20.10 (Groovy Gorilla) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 LTS (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

wxwidgets2.8
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo) Does not exist

Ubuntu 20.10 (Groovy Gorilla) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 LTS (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

xmlrpc-c
Launchpad, Ubuntu, Debian
Upstream Needed

Ubuntu 21.04 (Hirsute Hippo) Needed

Ubuntu 20.10 (Groovy Gorilla) Needed

Ubuntu 20.04 LTS (Focal Fossa) Needed

Ubuntu 18.04 LTS (Bionic Beaver) Needed

Ubuntu 16.04 LTS (Xenial Xerus) Needed

Ubuntu 14.04 ESM (Trusty Tahr) Needed

xotcl
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo) Needs triage

Ubuntu 20.10 (Groovy Gorilla) Needs triage

Ubuntu 20.04 LTS (Focal Fossa) Needs triage

Ubuntu 18.04 LTS (Bionic Beaver) Needs triage

Ubuntu 16.04 LTS (Xenial Xerus) Needs triage

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist