Name | CVE-2009-3720 |
Description | The updatePosition function in lib/xmltok_impl.c in libexpat in Expat 2.0.1, as used in Python, PyXML, w3c-libwww, and other software, allows context-dependent attackers to cause a denial of service (application crash) via an XML document with crafted UTF-8 sequences that trigger a buffer over-read, a different vulnerability than CVE-2009-2625. |
Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
References | DSA-1921-1, DSA-1977-1 |
Debian Bugs | 551936, 551938, 560912, 560913, 560914, 560915, 560916, 560917, 560919, 560920, 560921, 560922, 560924, 560925, 560926, 560927, 560928, 560929, 560930, 560931, 560932, 560933, 560935, 560936, 560937, 560940, 560942, 560944, 560945, 560946, 560950, 560951, 560953, 601053 |
The table below lists information on source packages.
Source Package | Release | Version | Status |
---|
audacity (PTS) | jessie | 2.0.6-2 | fixed |
| stretch | 2.1.2-2 | fixed |
| buster | 2.2.2-1 | fixed |
| bullseye | 2.4.2~dfsg0-5 | fixed |
| bookworm | 3.2.4+dfsg-1 | fixed |
| sid, trixie | 3.7.0+dfsg-1 | fixed |
ayttm (PTS) | jessie | 0.6.3-3 | fixed |
cableswig (PTS) | jessie | 0.1.0+cvs20111009-1.1 | vulnerable |
cadaver (PTS) | jessie, stretch | 0.23.3-2 | vulnerable |
| buster, bullseye | 0.23.3-2.1 | vulnerable |
| bookworm | 0.24+dfsg-1 | vulnerable |
| trixie | 0.24+dfsg-4 | vulnerable |
| sid | 0.26+dfsg-2 | vulnerable |
cmake (PTS) | jessie | 3.0.2-1+deb8u1 | fixed |
| stretch | 3.7.2-1 | fixed |
| buster | 3.13.4-1 | fixed |
| bullseye | 3.18.4-2+deb11u1 | fixed |
| bookworm | 3.25.1-1 | fixed |
| trixie | 3.30.5-1 | fixed |
| sid | 3.31.2-1 | fixed |
coin3 (PTS) | jessie | 3.1.4~abc9f50-7 | vulnerable |
| stretch | 3.1.4~abc9f50+dfsg1-2 | vulnerable |
| buster | 4.0.0~CMake~6f54f1602475+ds1-2 | vulnerable |
| bullseye | 4.0.0+ds-1 | vulnerable |
| bookworm | 4.0.0+ds-3 | vulnerable |
| sid, trixie | 4.0.2+ds-2 | vulnerable |
expat (PTS) | jessie, jessie (lts) | 2.1.0-6+deb8u12 | fixed |
| stretch (security) | 2.2.0-2+deb9u5 | fixed |
| stretch (lts), stretch | 2.2.0-2+deb9u9 | fixed |
| buster, buster (lts) | 2.2.6-2+deb10u8 | fixed |
| buster (security) | 2.2.6-2+deb10u7 | fixed |
| bullseye | 2.2.10-2+deb11u5 | fixed |
| bullseye (security) | 2.2.10-2+deb11u6 | fixed |
| bookworm (security), bookworm | 2.5.0-1+deb12u1 | fixed |
| sid, trixie | 2.6.4-1 | fixed |
gdcm (PTS) | jessie | 2.4.4-3+deb8u1 | fixed |
| stretch | 2.6.6-3 | fixed |
| buster | 2.8.8-9 | fixed |
| bullseye | 3.0.8-2 | fixed |
| bookworm | 3.0.21-1 | fixed |
| sid, trixie | 3.0.24-5 | fixed |
ghostscript (PTS) | jessie, jessie (lts) | 9.26a~dfsg-0+deb8u13 | fixed |
| stretch (security) | 9.26a~dfsg-0+deb9u9 | fixed |
| stretch (lts), stretch | 9.26a~dfsg-0+deb9u13 | fixed |
| buster, buster (lts) | 9.27~dfsg-2+deb10u10 | fixed |
| buster (security) | 9.27~dfsg-2+deb10u9 | fixed |
| bullseye | 9.53.3~dfsg-7+deb11u7 | fixed |
| bullseye (security) | 9.53.3~dfsg-7+deb11u9 | fixed |
| bookworm | 10.0.0~dfsg-11+deb12u5 | fixed |
| bookworm (security) | 10.0.0~dfsg-11+deb12u6 | fixed |
| sid, trixie | 10.04.0~dfsg-2 | fixed |
insighttoolkit (PTS) | jessie | 3.20.1+git20120521-5 | fixed |
matanza (PTS) | jessie, stretch | 0.13+ds1-5 | vulnerable |
| buster | 0.13+ds1-6 | vulnerable |
| bullseye, bookworm | 0.13+ds2-1 | vulnerable |
| sid, trixie | 0.13+ds2-2 | vulnerable |
mcabber (PTS) | jessie, jessie (lts) | 0.10.2-1+deb8u1 | fixed |
| stretch | 1.0.4-1.1 | fixed |
| buster | 1.1.0-1.1 | fixed |
| bullseye | 1.1.2-1 | fixed |
| sid, trixie, bookworm | 1.1.2-2 | fixed |
paraview (PTS) | jessie | 4.1.0+dfsg+1-1 | fixed |
| stretch | 5.1.2+dfsg1-2 | fixed |
| buster | 5.4.1+dfsg4-3.1 | fixed |
| bullseye | 5.9.0-2 | fixed |
| bookworm | 5.11.0+dfsg-1 | fixed |
| sid | 5.13.1+dfsg-10 | fixed |
poco (PTS) | jessie, jessie (lts) | 1.3.6p1-5+deb8u1 | fixed |
| stretch (security), stretch (lts), stretch | 1.7.6+dfsg1-5+deb9u1 | fixed |
| buster | 1.9.0-5 | fixed |
| bullseye | 1.10.0-6+deb11u1 | fixed |
| bookworm | 1.11.0-3 | fixed |
| sid, trixie | 1.13.0-6 | fixed |
simgear (PTS) | jessie | 3.0.0-6 | fixed |
| stretch | 1:2016.4.4+dfsg-2 | fixed |
| buster | 1:2018.3.2+dfsg-5 | fixed |
| bullseye | 1:2020.3.6+dfsg-1 | fixed |
| bookworm | 1:2020.3.16+dfsg-1 | fixed |
| sid, trixie | 1:2020.3.18+dfsg-2.1 | fixed |
smart (PTS) | jessie, buster, stretch | 1.4-2 | fixed |
tdom (PTS) | jessie, stretch | 0.8.3-1 | fixed |
| buster | 0.9.1-1 | fixed |
| bullseye | 0.9.2-1 | fixed |
| bookworm | 0.9.3-1 | fixed |
| sid, trixie | 0.9.5-1 | fixed |
texlive-bin (PTS) | jessie, jessie (lts) | 2014.20140926.35254-6+deb8u1 | fixed |
| stretch (security) | 2016.20160513.41080.dfsg-2+deb9u1 | fixed |
| stretch (lts), stretch | 2016.20160513.41080.dfsg-2+deb9u2 | fixed |
| buster, buster (lts) | 2018.20181218.49446-1+deb10u3 | fixed |
| buster (security) | 2018.20181218.49446-1+deb10u2 | fixed |
| bullseye | 2020.20200327.54578-7+deb11u1 | fixed |
| bullseye (security) | 2020.20200327.54578-7+deb11u2 | fixed |
| bookworm | 2022.20220321.62855-5.1+deb12u1 | fixed |
| sid, trixie | 2024.20240313.70630+ds-5 | fixed |
tla (PTS) | jessie | 1.3.5+dfsg1-1 | fixed |
| buster, bullseye, stretch | 1.3.5+dfsg1-2 | fixed |
| bookworm | 1.3.5+dfsg1-2.1 | fixed |
| sid | 1.3.5+dfsg2-1 | fixed |
udunits (PTS) | jessie | 2.2.17-1 | fixed |
| stretch | 2.2.20-1 | fixed |
| buster | 2.2.26-5 | fixed |
| bullseye | 2.2.28-3 | fixed |
| bookworm | 2.2.28-5 | fixed |
| sid, trixie | 2.2.28-7 | fixed |
vnc4 (PTS) | jessie | 4.1.1+X4.3.0-37.6 | fixed |
| buster, stretch | 4.1.1+X4.3.0+t-1 | fixed |
vxl (PTS) | jessie | 1.17.0.dfsg-1 | fixed |
xmlrpc-c (PTS) | jessie | 1.33.14-0.2 | fixed |
| stretch | 1.33.14-4 | fixed |
| buster | 1.33.14-8 | fixed |
| bullseye | 1.33.14-9 | fixed |
| bookworm | 1.33.14-11 | fixed |
| sid, trixie | 1.59.03-6 | fixed |
xotcl (PTS) | jessie | 1.6.8-1 | fixed |
| stretch | 1.6.8-3 | fixed |
| buster | 1.6.8-4 | fixed |
| bullseye | 1.6.8-4.1 | fixed |
| sid, trixie, bookworm | 1.6.8-5 | fixed |
The information below is based on the following data on fixed versions.