CVE-2012-6702: Expat, when used in a parser that has not called XML_SetHashSalt or passed it a seed of 0, makes it easier for context-dependent attackers to defeat…

CVE-2012-6702 [MEDIUM] CVE-2012-6702: iTunes 12.6 Apple Security Update: About the security content of iTunes 12.6 Product: iTunes Version: 12.6 CVE: CVE-2012-6702 Component: CVE-2012-6702

CVE-2012-6702 [MEDIUM] CVE-2012-6702: iTunes 12.6 for Windows Apple Security Update: About the security content of iTunes 12.6 for Windows Product: iTunes 12.6 for Windows CVE: CVE-2012-6702 Component: CVE-2012-6702

CVE-2012-6702 [MEDIUM] CVE-2012-6702: Android Security Bulletin 2016-11-01 CVE: CVE-2012-6702 Severity: MEDIUM Affected AOSP versions: 4 Android Security Bulletin 2016-11-01 CVE: CVE-2012-6702 Severity: MEDIUM Affected AOSP versions: 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 References: A-29149404

CVE-2012-6702 [MEDIUM] Expat vulnerabilities Title: Expat vulnerabilities Summary: Several security issues were fixed in Expat. It was discovered that Expat unexpectedly called srand in certain circumstances. This could reduce the security of calling applications. (CVE-2012-6702) It was discovered that Expat incorrectly handled seeding the random number generator. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2016-5300) Instructions: After a standard system upgrade you need to restart any applications linked against Expat to effect the necessary changes.

CVE-2012-6702 [MEDIUM] XML-RPC for C and C++ vulnerabilities Title: XML-RPC for C and C++ vulnerabilities Summary: Several security issues were fixed in XML-RPC for C and C++. It was discovered that the Expat code in XML-RPC for C and C++ unexpectedly called srand in certain circumstances. This could reduce the security of calling applications. (CVE-2012-6702) It was discovered that the Expat code in XML-RPC for C and C++ incorrectly handled seeding the random number generator. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2016-5300) Gustavo Grieco discovered that the Expat code in XML-RPC for C and C++ incorrectly handled malformed XML data. If a user or application linked against XML-RPC for C and C++ were tricked into opening a crafted XML file, an attacker could cause a denial of service, or possibly exec

CVE-2012-6702 [MEDIUM] CWE-330 expat: Using XML_Parse before rand() results into non-random output expat: Using XML_Parse before rand() results into non-random output Expat, when used in a parser that has not called XML_SetHashSalt or passed it a seed of 0, makes it easier for context-dependent attackers to defeat cryptographic protection mechanisms via vectors involving use of the srand function. Package: expat (Red Hat Directory Server 8) - Under investigation Package: expat (Red Hat Enterprise Linux 5) - Will not fix Package: firefox (Red Hat Enterprise Linux 5) - Not affected Package: thunderbird (Red Hat Enterprise Linux 5) - Not affected Package: xmlrpc-c (Red Hat Enterprise Linux 5) - Will not fix Package: xulrunner (Red Hat Enterprise Linux 5) - Not affected Package: compat-expat1 (Red Hat Enterprise Linux 6) - Not affected Package: expat (Red Hat Enterprise Linux 6) -

CVE-2012-6702 [MEDIUM] CVE-2012-6702: expat - Expat, when used in a parser that has not called XML_SetHashSalt or passed it a ... Expat, when used in a parser that has not called XML_SetHashSalt or passed it a seed of 0, makes it easier for context-dependent attackers to defeat cryptographic protection mechanisms via vectors involving use of the srand function. Scope: local bookworm: resolved (fixed in 2.1.1-3) bullseye: resolved (fixed in 2.1.1-3) forky: resolved (fixed in 2.1.1-3) sid: resolved (fixed in 2.1.1-3) trixie: resolved (fixed in 2.1.1-3)

CVE-2012-6702 [MEDIUM] GHSA-qfwq-qvmm-7j3x: Expat, when used in a parser that has not called XML_SetHashSalt or passed it a seed of 0, makes it easier for context-dependent attackers to defeat c Expat, when used in a parser that has not called XML_SetHashSalt or passed it a seed of 0, makes it easier for context-dependent attackers to defeat cryptographic protection mechanisms via vectors involving use of the srand function.

CVE-2012-6702 [MEDIUM] expat vulnerabilities expat vulnerabilities It was discovered that Expat unexpectedly called srand in certain circumstances. This could reduce the security of calling applications. (CVE-2012-6702) It was discovered that Expat incorrectly handled seeding the random number generator. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2016-5300)

CVE-2012-6702 [MEDIUM] CVE-2012-6702: Expat, when used in a parser that has not called XML_SetHashSalt or passed it a seed of 0, makes it easier for context-dependent attackers to defeat c Expat, when used in a parser that has not called XML_SetHashSalt or passed it a seed of 0, makes it easier for context-dependent attackers to defeat cryptographic protection mechanisms via vectors involving use of the srand function.

CVE-2012-6702 [MEDIUM] CVE-2012-6702 mingw-expat: expat: Using XML_Parse before rand() results into non-random output [fedora-all] CVE-2012-6702 mingw-expat: expat: Using XML_Parse before rand() results into non-random output [fedora-all] This is an automatically created tracking bug! It was created to ensure that one or more security vulnerabilities are fixed in affected versions of Fedora. For comments that are specific to the vulnerability please use bugs filed against the "Security Response" product referenced in the "Blocks" field. For more information see: http://fedoraproject.org/wiki/Security/TrackingBugs When submitting as an update, use the fedpkg template provided in the next comment(s). This will include the bug IDs of this tracking bug as well as the relevant top-level CVE bugs. Please also mention the CVE IDs being fixed in the RPM changelog and the fedpkg commit message. NOTE: this issue affects m

CVE-2012-6702 [MEDIUM] CVE-2012-6702 expat: Using XML_Parse before rand() results into non-random output CVE-2012-6702 expat: Using XML_Parse before rand() results into non-random output It was found that when calling XML_Parse ahead of rand(), it causes the pseudo random generator to generate non-random predictable numbers. Product bug: https://bugzilla.redhat.com/show_bug.cgi?id=1197087 Discussion: Created compat-expat1 tracking bugs for this issue: Affects: fedora-all [bug 1319733] --- Created expat tracking bugs for this issue: Affects: fedora-all [bug 1319732] --- Created mingw-expat tracking bugs for this issue: Affects: fedora-all [bug 1319734] Affects: epel-7 [bug 1319736] --- Created expat21 tracking bugs for this issue: Affects: epel-all [bug 1319735] --- CVE assignment: http://seclists.org/oss-sec/2016/q2/469 --- Created attachment 1165212 Proposed upstream patc

CVE-2012-6702 [MEDIUM] CVE-2012-6702 expat21: expat: Using XML_Parse before rand() results into non-random output [epel-all] CVE-2012-6702 expat21: expat: Using XML_Parse before rand() results into non-random output [epel-all] This is an automatically created tracking bug! It was created to ensure that one or more security vulnerabilities are fixed in affected versions of Fedora EPEL. For comments that are specific to the vulnerability please use bugs filed against the "Security Response" product referenced in the "Blocks" field. For more information see: http://fedoraproject.org/wiki/Security/TrackingBugs When submitting as an update, use the fedpkg template provided in the next comment(s). This will include the bug IDs of this tracking bug as well as the relevant top-level CVE bugs. Please also mention the CVE IDs being fixed in the RPM changelog and the fedpkg commit message. NOTE: this issue affects mu

CVE-2012-6702 [MEDIUM] CVE-2012-6702 mingw-expat: expat: Using XML_Parse before rand() results into non-random output [epel-7] CVE-2012-6702 mingw-expat: expat: Using XML_Parse before rand() results into non-random output [epel-7] This is an automatically created tracking bug! It was created to ensure that one or more security vulnerabilities are fixed in affected versions of Fedora EPEL. For comments that are specific to the vulnerability please use bugs filed against the "Security Response" product referenced in the "Blocks" field. For more information see: http://fedoraproject.org/wiki/Security/TrackingBugs When submitting as an update, use the fedpkg template provided in the next comment(s). This will include the bug IDs of this tracking bug as well as the relevant top-level CVE bugs. Please also mention the CVE IDs being fixed in the RPM changelog and the fedpkg commit message. [bug automatically create

CVE-2012-6702 [MEDIUM] CVE-2012-6702 expat: Using XML_Parse before rand() results into non-random output [fedora-all] CVE-2012-6702 expat: Using XML_Parse before rand() results into non-random output [fedora-all] This is an automatically created tracking bug! It was created to ensure that one or more security vulnerabilities are fixed in affected versions of Fedora. For comments that are specific to the vulnerability please use bugs filed against the "Security Response" product referenced in the "Blocks" field. For more information see: http://fedoraproject.org/wiki/Security/TrackingBugs When submitting as an update, use the fedpkg template provided in the next comment(s). This will include the bug IDs of this tracking bug as well as the relevant top-level CVE bugs. Please also mention the CVE IDs being fixed in the RPM changelog and the fedpkg commit message. NOTE: this issue affects multiple suppo

CVE-2012-6702 [MEDIUM] CVE-2012-6702 compat-expat1: expat: Using XML_Parse before rand() results into non-random output [fedora-all] CVE-2012-6702 compat-expat1: expat: Using XML_Parse before rand() results into non-random output [fedora-all] This is an automatically created tracking bug! It was created to ensure that one or more security vulnerabilities are fixed in affected versions of Fedora. For comments that are specific to the vulnerability please use bugs filed against the "Security Response" product referenced in the "Blocks" field. For more information see: http://fedoraproject.org/wiki/Security/TrackingBugs When submitting as an update, use the fedpkg template provided in the next comment(s). This will include the bug IDs of this tracking bug as well as the relevant top-level CVE bugs. Please also mention the CVE IDs being fixed in the RPM changelog and the fedpkg commit message. NOTE: this issue affects

XML_Parse breaks rand() function XML_Parse breaks rand() function Created attachment 996033 Suggested patch Description of problem: Calling XML_Parse seeds the rand() pseudo random generator, causing it to generate non-random and predictable numbers. Version-Release number of selected component (if applicable): expat-2.1.0-11.fc23 How reproducible: Always Steps to Reproduce: 1. cat expat_test.c #include #include #include int main(void) { XML_Parser parser; int i; for(i = 0; i #include bool has_srand_been_called_before() { if (rand() != 1804289383) return true; if (rand() != 846930886) return true; if (rand() != 1681692777) return true; return false; } void main() { if (! has_srand_been_called_before()) { printf("srand(1) detected, call to srand() needed.\n"); srand(17); /* except with more entropy */ } printf("ra