Bugzilla – Bug 750914
VUL-0: CVE-2012-0876: expat: hash table collisions CPU usage DoS
Last modified: 2017-02-02 15:25:35 UTC
expat seems to be prone to the hash table collisions DoS vulnerability (reported at [1]) as well: "This release was triggered by a hash table DOS attack fix, it also includes accumulated bug fixes and some changes to the build system - using autoreconf instead of the old code in buildconf.sh. Also added a conditional feature to make byte offsets for attributes and attribute names available. What's missing: Documentation updates (Changes file, reference.html) Karl" [1] http://mail.libexpat.org/pipermail/expat-discuss/2012-March/002768.html
r1.168 in xmlparse.c contains the patch, http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmlparse.c?view=log
The SWAMPID for this issue is 45949. This issue was rated as moderate. Please submit fixed packages until 2012-03-21. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
This is an autogenerated message for OBS integration: This bug (750914) was mentioned in https://build.opensuse.org/request/show/108480 12.1 / expat https://build.opensuse.org/request/show/108483 11.4 / expat
openSUSE-SU-2012:0423-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 750914,751464,751465 CVE References: CVE-2012-0876,CVE-2012-1147,CVE-2012-1148 Sources used: openSUSE 12.1 (src): expat-2.0.1-109.4.1 openSUSE 11.4 (src): expat-2.0.1-102.105.1 Product List: openSUSE 12.1 openSUSE 11.4
This is an autogenerated message for OBS integration: This bug (750914) was mentioned in https://build.opensuse.org/request/show/112140 Evergreen:11.2 / expat
Update released for: expat, expat-32bit, expat-debuginfo, expat-debuginfo-32bit, expat-debuginfo-64bit, expat-debuginfo-x86, expat-debugsource, libexpat-devel, libexpat1, libexpat1-32bit, libexpat1-x86 Products: SLE-SERVER 10-SP3-TERADATA (x86_64)
Update released for: expat Products: SUSE-CORE 9-SP3-TERADATA (x86_64)
we released this for openSUSE too, and received bugreports. - exempi does not work correctly anymore (not more details) - bug 755377 - libexpat1-2.0.1-109.4.1 couses an error for miranda clients connecting to ejabber
This is an autogenerated message for OBS integration: This bug (750914) was mentioned in https://build.opensuse.org/request/show/112758 Evergreen:11.2 / expat
bug 755377 reproducible also on Evergreen:11.2 with this update
Fixed. Stefan: Thanks for submitting it to evergreen!
if you have submitted all fixes for a security, please reassign it to the security team for tracking, doing so now.
released
Update released for: expat, expat-32bit, expat-64bit, expat-debuginfo, expat-debuginfo-32bit, expat-debuginfo-64bit, expat-debuginfo-x86, expat-debugsource, expat-x86, libexpat-devel, libexpat1, libexpat1-32bit, libexpat1-x86 Products: SLE-DESKTOP 10-SP4 (i386, x86_64) SLE-SERVER 10-SP4 (i386, ia64, ppc, s390x, x86_64)
Update released for: expat, expat-debuginfo, expat-debuginfo-32bit, expat-debuginfo-64bit, expat-debuginfo-x86, expat-debugsource, libexpat-devel, libexpat1, libexpat1-32bit, libexpat1-x86 Products: SLE-DEBUGINFO 11-SP1 (i386, ia64, ppc64, s390x, x86_64) SLE-DESKTOP 11-SP1 (i386, x86_64) SLE-DESKTOP 11-SP1-FOR-SP2 (i386, x86_64) SLE-SDK 11-SP1 (i386, ia64, ppc64, s390x, x86_64) SLE-SDK 11-SP1-FOR-SP2 (i386, ia64, ppc64, s390x, x86_64) SLE-SERVER 11-SP1 (i386, ia64, ppc64, s390x, x86_64) SLE-SERVER 11-SP1-FOR-SP2 (i386, ia64, ppc64, s390x, x86_64) SLE-SERVER 11-SP1-TERADATA (x86_64) SLES4VMWARE 11-SP1 (i386, x86_64)