Your message dated Fri, 24 Jul 2015 15:35:12 +0000
with message-id <e1zif0c-00025w...@franck.debian.org>
and subject line Bug#793484: fixed in expat 2.1.0-7
has caused the Debian Bug report #793484,
regarding expat: CVE-2015-1283: Multiple integer overflows in the XML_GetBuffer
function
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
793484: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=793484
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: expat
Severity: grave
Tags: security patch
Hi,
the following vulnerability was published for expat.
CVE-2015-1283[0]:
| Multiple integer overflows in the XML_GetBuffer function in Expat
| through 2.1.0, as used in Google Chrome before 44.0.2403.89 and other
| products, allow remote attackers to cause a denial of service
| (heap-based buffer overflow) or possibly have unspecified other impact
| via crafted XML data, a related issue to CVE-2015-2716.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2015-1283
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1283
Please adjust the affected versions in the BTS as needed.
It looks like that Mozilla wrote a patch here:
https://hg.mozilla.org/releases/mozilla-esr31/rev/2f3e78643f5c
And chromium reused that patch too.
Cheers,
--
Raphaël Hertzog ◈ Debian Developer
Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/
--- End Message ---
--- Begin Message ---
Source: expat
Source-Version: 2.1.0-7
We believe that the bug you reported is fixed in the latest version of
expat, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 793...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <g...@debian.org> (supplier of updated expat package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 24 Jul 2015 14:48:45 +0000
Source: expat
Binary: lib64expat1-dev lib64expat1 libexpat1-dev libexpat1 libexpat1-udeb expat
Architecture: source amd64
Version: 2.1.0-7
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <g...@debian.org>
Changed-By: Laszlo Boszormenyi (GCS) <g...@debian.org>
Description:
expat - XML parsing C library - example application
lib64expat1 - XML parsing C library - runtime library (64bit)
lib64expat1-dev - XML parsing C library - development kit (64bit)
libexpat1 - XML parsing C library - runtime library
libexpat1-dev - XML parsing C library - development kit
libexpat1-udeb - XML parsing C library - runtime library (udeb)
Closes: 793484
Changes:
expat (2.1.0-7) unstable; urgency=high
.
* Fix CVE-2015-1283, multiple integer overflows in the XML_GetBuffer
function (closes: #793484).
* Update Standards-Version to 3.9.6 .
Checksums-Sha1:
f14201ad9f9ae57bf82bdfcdc183c9ece093505d 2250 expat_2.1.0-7.dsc
35729c51d4677e39828e83d388ea165239d94463 15232 expat_2.1.0-7.debian.tar.xz
b602d78312bf3e517adbdb2bff228ae7a36411e4 23886 expat_2.1.0-7_amd64.deb
5aa8b17bb41f6e46e30fac47683530f886a53497 126000 libexpat1-dev_2.1.0-7_amd64.deb
02988e296a7dbc857a93ae391dbd982f8d7d2b66 52204
libexpat1-udeb_2.1.0-7_amd64.udeb
9431efc092d953e51303d4805b949b32df9486c2 79982 libexpat1_2.1.0-7_amd64.deb
Checksums-Sha256:
ea61494d57d7c5f3b0dcd7cf08692cdc7535ed1755ded2fc9e34f5d26483f948 2250
expat_2.1.0-7.dsc
e45e1f1404c49e5d5942c74881c64c32aad5a7b37761aca094d456f26fec4256 15232
expat_2.1.0-7.debian.tar.xz
f9e466d71e66a03094d6b9c373fcc4e5229ead3fe559775d48a5147ea74b6664 23886
expat_2.1.0-7_amd64.deb
ed819a73c524e07f9ed2e1f1bdf7f45f8df9cbfa966f4c5bf52d61223c9424a7 126000
libexpat1-dev_2.1.0-7_amd64.deb
f6d3d47e46c0eb40f8295bff8b86d0637c79e7f0e916455fcd94c0163da2a08f 52204
libexpat1-udeb_2.1.0-7_amd64.udeb
5d5803bcf3bcf73e9b348ab069023ca41240184a56c803c587e65e316c1d3f73 79982
libexpat1_2.1.0-7_amd64.deb
Files:
64b99f522404d81475b529b6ba2ced53 2250 text optional expat_2.1.0-7.dsc
8402b9763a40714e138ada6e6a054be5 15232 text optional
expat_2.1.0-7.debian.tar.xz
817834c0bfbef940d3914b8472c95240 23886 text optional expat_2.1.0-7_amd64.deb
fba0b19486dc4a5f3fe9b8f6e729d4e0 126000 libdevel optional
libexpat1-dev_2.1.0-7_amd64.deb
e19b918db2ddde3e0ccec1851fa366cf 52204 debian-installer extra
libexpat1-udeb_2.1.0-7_amd64.udeb
456faf4a54a2b854ce26c4dd2a155bbc 79982 libs optional
libexpat1_2.1.0-7_amd64.deb
Package-Type: udeb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJVslcZAAoJENzjEOeGTMi/pFIP/37J5IEEEJ/yeFs0W0Wdqw+q
7RDUBhjQu6hQsjbGMOwoy/aTV+CAtlE+vFfVpUKF+0SmT380NqkX0xAV7y5r2DgL
5bnk2FVw944AQdieVvHstebt8GQ55IIstV2mLBK9oDj3v1ABukq476QUvdBl+aC0
jkJhIzOosU5x6WQ3qyCJevnq0+OmNECh1S5QZR7tiCLgoTFxarROo/7eLWFBl6ty
nvSuBTA71M9msOIku03mh+D2wEmixF7xkNO2/DClaBCKjoLj7f8Jb+zkn05bazB5
m+ZyznkWvetyV4kNrDGL/BeF6yvlfU5urzkg4POHONKbzsTtAs4ANbuhMh/wRj5Z
SXGSbaQWuj59Pf9XePMBMUm6dGiTxfrp1uy9YRUiG5KayrkIjaZ6FeNesC1VFqZm
PrF/YsIBGFJ8+I2xEX0KHzdgZptmiDbTaFzebbQz3bI8Z3v2MIQeUQ8xsV0dNXzE
pktTa1ysM6KUYjY/TGaiR/xqTaUq8WwhYhwSAx7/228d6uXKPwt2FNP9veIW8CgE
+T9kKi6AOpVAwHWBMDb3daAsCNKpbpYNoBEJdQPNj8awWLmpTTnbz2lXcunrR0Di
amVcT49SA5/euvBb3AfsNHSgNyeWyobSmbbCvLV0BwEaubc3RpWpU51X9XvkrFiZ
IkqPrDIHdgNKFAZfKrJB
=LGv5
-----END PGP SIGNATURE-----
--- End Message ---