First Last Prev Next    This bug is not in your last search results.
Bug 1047240 - VUL-0: CVE-2016-9063: expat: Possible integer overflow to fix inside XML_Parse in Expat
VUL-0: CVE-2016-9063: expat: Possible integer overflow to fix inside XML_Pars...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other openSUSE 42.1
: P3 - Medium : Minor
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/176415/
maint:released:sle10-sp3:63819
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-07-04 14:44 UTC by Marcus Meissner
Modified: 2017-10-26 06:21 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Patch for SLE-10, 11 and 12. (1.27 KB, application/gzip)
2017-08-03 11:52 UTC, Pedro Monreal Gonzalez 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2017-07-04 14:44:19 UTC 
this is expat bug


+++ This bug was initially created as a clone of Bug #1010424 +++

Security vulnerabilities fixed in Firefox 50
https://www.mozilla.org/security/announce/2016/mfsa2016-89.html

Discovered by: Gustavo Grieco
An integer overflow during the parsing of XML using the Expat library.

https://bugzilla.mozilla.org/show_bug.cgi?id=1274777
Comment 1 Pedro Monreal Gonzalez 2017-08-03 10:59:11 UTC 
Upstream commit: https://github.com/libexpat/libexpat/commit/d4f735b88d9932bd5039df2335eefdd0723dbe20
Comment 2 Pedro Monreal Gonzalez 2017-08-03 11:52:42 UTC 
Created attachment 735131 [details]
Patch for SLE-10, 11 and 12.

Packages submitted:

SUSE:SLE-12:Update     2.1.0 expat-2.1.0-CVE-2016-9063.patch sr#136847
SUSE:SLE-11:Update     2.0.1 expat-2.0.1-CVE-2016-9063.patch sr#136848
SUSE:SLE-10-SP3:Update 2.0.0 expat-2.0.1-CVE-2016-9063.patch sr#136849

openSUSE:Factory       2.2.1 Already fixed
Leap:42.1:Update Comes from SLE-12:GA
Leap:42.2:Update Comes from SLE-12:Update
Comment 4 Swamp Workflow Management 2017-08-07 15:29:14 UTC 
An update workflow for this issue was started.
This issue was rated as low.
Please submit fixed packages until 2017-09-04.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/63818
Comment 6 Swamp Workflow Management 2017-08-30 17:27:40 UTC 
SUSE-SU-2017:2299-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1047236,1047240
CVE References: CVE-2016-9063,CVE-2017-9233
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    expat-2.1.0-21.3.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    expat-2.1.0-21.3.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    expat-2.1.0-21.3.1
SUSE Linux Enterprise Server 12-SP3 (src):    expat-2.1.0-21.3.1
SUSE Linux Enterprise Server 12-SP2 (src):    expat-2.1.0-21.3.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    expat-2.1.0-21.3.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    expat-2.1.0-21.3.1
SUSE Container as a Service Platform ALL (src):    expat-2.1.0-21.3.1
OpenStack Cloud Magnum Orchestration 7 (src):    expat-2.1.0-21.3.1
Comment 7 Swamp Workflow Management 2017-09-04 10:07:48 UTC 
openSUSE-SU-2017:2336-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1047236,1047240
CVE References: CVE-2016-9063,CVE-2017-9233
Sources used:
openSUSE Leap 42.3 (src):    expat-2.1.0-24.1
openSUSE Leap 42.2 (src):    expat-2.1.0-21.3.1
Comment 8 Swamp Workflow Management 2017-09-06 13:07:43 UTC 
SUSE-SU-2017:2375-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1047236,1047240
CVE References: CVE-2016-9063,CVE-2017-9233
Sources used:
SUSE Studio Onsite 1.3 (src):    expat-2.0.1-88.42.3.2
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    expat-2.0.1-88.42.3.2
SUSE Linux Enterprise Server 11-SP4 (src):    expat-2.0.1-88.42.3.2
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    expat-2.0.1-88.42.3.2
Comment 9 Swamp Workflow Management 2017-09-14 19:19:53 UTC 
SUSE-SU-2017:2470-1: An update that solves 18 vulnerabilities and has 46 fixes is now available.

Category: security (important)
Bug References: 1004995,1009745,1014471,1017420,1019637,1026825,1027079,1027688,1027908,1028281,1028723,1029523,1031756,1032706,1033236,1035062,1036659,1038132,1038444,1038984,1042392,1043218,1043333,1044095,1044107,1044175,1044840,1045384,1045735,1045987,1046268,1046417,1046659,1046853,1046858,1047008,1047236,1047240,1047310,1047379,1047785,1047964,1047965,1048315,1048483,1048605,1048679,1048715,1049344,1050396,1050484,1051626,1051643,1051644,1052030,1052759,1053409,874665,902364,938657,944903,954661,960820,963041
CVE References: CVE-2013-7459,CVE-2016-9063,CVE-2017-1000100,CVE-2017-1000101,CVE-2017-10684,CVE-2017-10685,CVE-2017-11112,CVE-2017-11113,CVE-2017-3308,CVE-2017-3309,CVE-2017-3453,CVE-2017-3456,CVE-2017-3464,CVE-2017-7435,CVE-2017-7436,CVE-2017-8872,CVE-2017-9233,CVE-2017-9269
Sources used:
SUSE Container as a Service Platform ALL (src):    caasp-container-manifests-0.0.0+git_r155_93e40ab-2.3.3, container-feeder-0.0.0+20170901.git_r55_17ecbd3-2.3.3, sles12-mariadb-docker-image-1.1.0-2.3.10, sles12-pause-docker-image-1.1.0-2.3.11, sles12-pv-recycler-node-docker-image-1.1.0-2.3.10, sles12-salt-api-docker-image-1.1.0-2.3.9, sles12-salt-master-docker-image-1.1.0-4.3.10, sles12-salt-minion-docker-image-1.1.0-2.3.8, sles12-velum-docker-image-1.1.0-4.3.9
Comment 10 Marcus Meissner 2017-10-26 06:21:36 UTC 
released
First Last Prev Next    This bug is not in your last search results.