Debian Expat vulnerabilities

CVE-2022-25236 [CRITICAL] CVE-2022-25236: expat - xmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to insert names... xmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to insert namespace-separator characters into namespace URIs. Scope: local bookworm: resolved (fixed in 2.4.5-1) bullseye: resolved (fixed in 2.2.10-2+deb11u2) forky: resolved (fixed in 2.4.5-1) sid: resolved (fixed in 2.4.5-1) trixie: resolved (fixed in 2.4.5-1)

CVE-2022-22824 [CRITICAL] CVE-2022-22824: expat - defineAttribute in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an intege... defineAttribute in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. Scope: local bookworm: resolved (fixed in 2.4.3-1) bullseye: resolved (fixed in 2.2.10-2+deb11u1) forky: resolved (fixed in 2.4.3-1) sid: resolved (fixed in 2.4.3-1) trixie: resolved (fixed in 2.4.3-1)

CVE-2022-22825 [HIGH] CVE-2022-22825: expat - lookup in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflo... lookup in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. Scope: local bookworm: resolved (fixed in 2.4.3-1) bullseye: resolved (fixed in 2.2.10-2+deb11u1) forky: resolved (fixed in 2.4.3-1) sid: resolved (fixed in 2.4.3-1) trixie: resolved (fixed in 2.4.3-1)

CVE-2022-22826 [HIGH] CVE-2022-22826: expat - nextScaffoldPart in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integ... nextScaffoldPart in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. Scope: local bookworm: resolved (fixed in 2.4.3-1) bullseye: resolved (fixed in 2.2.10-2+deb11u1) forky: resolved (fixed in 2.4.3-1) sid: resolved (fixed in 2.4.3-1) trixie: resolved (fixed in 2.4.3-1)

CVE-2022-40674 [HIGH] CVE-2022-40674: expat - libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse... libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c. Scope: local bookworm: resolved (fixed in 2.4.8-2) bullseye: resolved (fixed in 2.2.10-2+deb11u4) forky: resolved (fixed in 2.4.8-2) sid: resolved (fixed in 2.4.8-2) trixie: resolved (fixed in 2.4.8-2)

CVE-2022-22827 [HIGH] CVE-2022-22827: expat - storeAtts in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer over... storeAtts in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. Scope: local bookworm: resolved (fixed in 2.4.3-1) bullseye: resolved (fixed in 2.2.10-2+deb11u1) forky: resolved (fixed in 2.4.3-1) sid: resolved (fixed in 2.4.3-1) trixie: resolved (fixed in 2.4.3-1)

CVE-2022-25314 [HIGH] CVE-2022-25314: expat - In Expat (aka libexpat) before 2.4.5, there is an integer overflow in copyString... In Expat (aka libexpat) before 2.4.5, there is an integer overflow in copyString. Scope: local bookworm: resolved (fixed in 2.4.5-1) bullseye: resolved (fixed in 2.2.10-2+deb11u2) forky: resolved (fixed in 2.4.5-1) sid: resolved (fixed in 2.4.5-1) trixie: resolved (fixed in 2.4.5-1)

CVE-2022-43680 [HIGH] CVE-2022-43680: expat - In libexpat through 2.4.9, there is a use-after free caused by overeager destruc... In libexpat through 2.4.9, there is a use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate in out-of-memory situations. Scope: local bookworm: resolved (fixed in 2.5.0-1) bullseye: resolved (fixed in 2.2.10-2+deb11u5) forky: resolved (fixed in 2.5.0-1) sid: resolved (fixed in 2.5.0-1) trixie: resolved (fixed in 2.5.0-1)

CVE-2022-23990 [HIGH] CVE-2022-23990: expat - Expat (aka libexpat) before 2.4.4 has an integer overflow in the doProlog functi... Expat (aka libexpat) before 2.4.4 has an integer overflow in the doProlog function. Scope: local bookworm: resolved (fixed in 2.4.3-3) bullseye: resolved (fixed in 2.2.10-2+deb11u1) forky: resolved (fixed in 2.4.3-3) sid: resolved (fixed in 2.4.3-3) trixie: resolved (fixed in 2.4.3-3)

CVE-2022-25313 [MEDIUM] CVE-2022-25313: expat - In Expat (aka libexpat) before 2.4.5, an attacker can trigger stack exhaustion i... In Expat (aka libexpat) before 2.4.5, an attacker can trigger stack exhaustion in build_model via a large nesting depth in the DTD element. Scope: local bookworm: resolved (fixed in 2.4.5-1) bullseye: resolved (fixed in 2.2.10-2+deb11u2) forky: resolved (fixed in 2.4.5-1) sid: resolved (fixed in 2.4.5-1) trixie: resolved (fixed in 2.4.5-1)

CVE-2021-46143 [HIGH] CVE-2021-46143: expat - In doProlog in xmlparse.c in Expat (aka libexpat) before 2.4.3, an integer overf... In doProlog in xmlparse.c in Expat (aka libexpat) before 2.4.3, an integer overflow exists for m_groupSize. Scope: local bookworm: resolved (fixed in 2.4.3-1) bullseye: resolved (fixed in 2.2.10-2+deb11u1) forky: resolved (fixed in 2.4.3-1) sid: resolved (fixed in 2.4.3-1) trixie: resolved (fixed in 2.4.3-1)

CVE-2021-45960 [HIGH] CVE-2021-45960: expat - In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or more) places in the... In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or more) places in the storeAtts function in xmlparse.c can lead to realloc misbehavior (e.g., allocating too few bytes, or only freeing memory). Scope: local bookworm: resolved (fixed in 2.4.3-1) bullseye: resolved (fixed in 2.2.10-2+deb11u1) forky: resolved (fixed in 2.4.3-1) sid: resolved (fixed in 2.4.3-1)

CVE-2019-15903 [HIGH] CVE-2019-15903: chromium - In libexpat before 2.2.8, crafted XML input could fool the parser into changing ... In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early; a consecutive call to XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber) then resulted in a heap-based buffer over-read. Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: resolved trixie: resolved

CVE-2018-20843 [HIGH] CVE-2018-20843: expat - In libexpat in Expat before 2.2.7, XML input including XML names that contain a ... In libexpat in Expat before 2.2.7, XML input including XML names that contain a large number of colons could make the XML parser consume a high amount of RAM and CPU resources while processing (enough to be usable for denial-of-service attacks). Scope: local bookworm: resolved (fixed in 2.2.6-2) bullseye: resolved (fixed in 2.2.6-2) forky: resolved (fixed in 2.2.6-2)

CVE-2017-9233 [HIGH] CVE-2017-9233: expat - XML External Entity vulnerability in libexpat 2.2.0 and earlier (Expat XML Parse... XML External Entity vulnerability in libexpat 2.2.0 and earlier (Expat XML Parser Library) allows attackers to put the parser in an infinite loop using a malformed external entity definition from an external DTD. Scope: local bookworm: resolved (fixed in 2.2.1-1) bullseye: resolved (fixed in 2.2.1-1) forky: resolved (fixed in 2.2.1-1) sid: resolved (fixed in 2.2.1-1) tr

CVE-2017-11742 [HIGH] CVE-2017-11742: expat - The writeRandomBytes_RtlGenRandom function in xmlparse.c in libexpat in Expat 2.... The writeRandomBytes_RtlGenRandom function in xmlparse.c in libexpat in Expat 2.2.1 and 2.2.2 on Windows allows local users to gain privileges via a Trojan horse ADVAPI32.DLL in the current working directory because of an untrusted search path, aka DLL hijacking. Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: resolved trixie: resolved

CVE-2016-0718 [CRITICAL] CVE-2016-0718: expat - Expat allows context-dependent attackers to cause a denial of service (crash) or... Expat allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a malformed input document, which triggers a buffer overflow. Scope: local bookworm: resolved (fixed in 2.1.1-2) bullseye: resolved (fixed in 2.1.1-2) forky: resolved (fixed in 2.1.1-2) sid: resolved (fixed in 2.1.1-2) trixie: resolved (fixed in 2.1.1

CVE-2016-9063 [CRITICAL] CVE-2016-9063: expat - An integer overflow during the parsing of XML using the Expat library. This vuln... An integer overflow during the parsing of XML using the Expat library. This vulnerability affects Firefox < 50. Scope: local bookworm: resolved (fixed in 2.2.0-2) bullseye: resolved (fixed in 2.2.0-2) forky: resolved (fixed in 2.2.0-2) sid: resolved (fixed in 2.2.0-2) trixie: resolved (fixed in 2.2.0-2)

CVE-2016-5300 [MEDIUM] CVE-2016-5300: expat - The XML parser in Expat does not use sufficient entropy for hash initialization,... The XML parser in Expat does not use sufficient entropy for hash initialization, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted identifiers in an XML document. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-0876. Scope: local bookworm: resolved (fixed in 2.1.1-3) bullseye: resolved (fixed

CVE-2016-4472 [MEDIUM] CVE-2016-4472: expat - The overflow protection in Expat is removed by compilers with certain optimizati... The overflow protection in Expat is removed by compilers with certain optimization settings, which allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via crafted XML data. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-1283 and CVE-2015-2716. Scope: local bookworm: resolved (fixed in 2.1.1-2) bull