USN-1527-1: Expat vulnerabilities

Releases

• Ubuntu 12.04
• Ubuntu 11.10
• Ubuntu 11.04
• Ubuntu 10.04
• Ubuntu 8.04

Packages

• expat - XML parsing C library - example application

Details

It was discovered that Expat computed hash values without restricting the
ability to trigger hash collisions predictably. If a user or application linked
against Expat were tricked into opening a crafted XML file, an attacker could
cause a denial of service by consuming excessive CPU resources. (CVE-2012-0876)

Tim Boddy discovered that Expat did not properly handle memory reallocation
when processing XML files. If a user or application linked against Expat were
tricked into opening a crafted XML file, an attacker could cause a denial of
service by consuming excessive memory resources. This issue only affected
Ubuntu 8.04 LTS, 10.04 LTS, 11.04 and 11.10. (CVE-2012-1148)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 8.04

• lib64expat1 - 2.0.1-0ubuntu1.2
• libexpat1-udeb - 2.0.1-0ubuntu1.2
• libexpat1 - 2.0.1-0ubuntu1.2

Ubuntu 12.04

• lib64expat1 - 2.0.1-7.2ubuntu1.1
• libexpat1-udeb - 2.0.1-7.2ubuntu1.1
• libexpat1 - 2.0.1-7.2ubuntu1.1

Ubuntu 11.10

• lib64expat1 - 2.0.1-7ubuntu3.11.10.1
• libexpat1-udeb - 2.0.1-7ubuntu3.11.10.1
• libexpat1 - 2.0.1-7ubuntu3.11.10.1

Ubuntu 11.04

• lib64expat1 - 2.0.1-7ubuntu3.11.04.1
• libexpat1-udeb - 2.0.1-7ubuntu3.11.04.1
• libexpat1 - 2.0.1-7ubuntu3.11.04.1

Ubuntu 10.04

• lib64expat1 - 2.0.1-7ubuntu1.1
• libexpat1-udeb - 2.0.1-7ubuntu1.1
• libexpat1 - 2.0.1-7ubuntu1.1

After a standard system upgrade you need to restart any applications linked
against Expat to effect the necessary changes.

References

• CVE-2012-0876
• CVE-2012-1148

Related notices

• USN-1527-2: libxmlrpc-core-c3-0, xmlrpc-c, libxmlrpc-core-c3
• USN-1613-1: python2.5, python2.5-minimal
• USN-1613-2: python2.4, python2.4-minimal
• USN-5455-1: libxmltok1, libxmltok1-dev, libxmltok