[Bug 1600717] [NEW] Sync expat 2.2.0-1 (main) from Debian unstable (main)

LocutusOfBorg costamagnagianfranco at yahoo.it
Mon Jul 11 08:33:35 UTC 2016 

Public bug reported:

Please sync expat 2.2.0-1 (main) from Debian unstable (main)

Explanation of the Ubuntu delta and why it can be dropped:
  * SECURITY UPDATE: unanticipated internal calls to srand
    - debian/patches/CVE-2012-6702-1.patch: remove srand, use more entropy
      in lib/xmlparse.c.
    - debian/patches/CVE-2012-6702-2.patch: use a prime that fits 32bits on
      32bit platforms in lib/xmlparse.c.
    - CVE-2012-6702
  * SECURITY UPDATE: use of too little entropy
    - debian/patches/CVE-2016-5300-1.patch: extract method
      gather_time_entropy in lib/xmlparse.c.
    - debian/patches/CVE-2016-5300-2.patch: extract entropy from XML_Parser
      address in lib/xmlparse.c.
    - CVE-2016-5300
  * SECURITY UPDATE: denial of service and possible code execution via
    malformed documents
    - debian/patches/CVE-2016-0718.patch: fix out of bounds memory access
      and integer overflow in lib/xmlparse.c, lib/xmltok.c, lib/xmltok.h,
      lib/xmltok_impl.c.
    - CVE-2016-0718
  * SECURITY UPDATE: integer overflows in XML_GetBuffer
    - debian/patches/CVE-2015-1283-refix.patch: improved existing fix in
      lib/xmlparse.c.
    - CVE-2015-1283

Everything is part of Debian and the new upstream release.

Changelog entries since current yakkety version 2.1.1-1ubuntu2:

expat (2.2.0-1) unstable; urgency=low

  * New upstream release, update symbols accordingly.
  * Use upstream manpage for xmlwf.
  * Drop all patches as this release contains those.

 -- Laszlo Boszormenyi (GCS) <gcs at debian.org>  Tue, 21 Jun 2016 15:29:58
+0000

expat (2.1.1-3) unstable; urgency=high

  * Use upstream fix for the following security vulnerabilities:
    - CVE-2012-6702, unanticipated internal calls to srand
    - CVE-2016-5300, use of too little entropy

 -- Laszlo Boszormenyi (GCS) <gcs at debian.org>  Sun, 05 Jun 2016 00:17:46
+0000

expat (2.1.1-2) unstable; urgency=high

  * Avoid relying on undefined behavior in CVE-2015-1283 fix.
  * Apply upstream patch to fix the root cause of CVE-2016-0718 and
    CVE-2016-0719 vulnerabilities.
  * Update Standards-Version to 3.9.8 .

 -- Laszlo Boszormenyi (GCS) <gcs at debian.org>  Mon, 16 May 2016 05:35:08
+0000

** Affects: expat (Ubuntu)
     Importance: Wishlist
         Status: New

** Changed in: expat (Ubuntu)
   Importance: Undecided => Wishlist

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to expat in Ubuntu.
https://bugs.launchpad.net/bugs/1600717

Title:
  Sync expat 2.2.0-1 (main) from Debian unstable (main)

Status in expat package in Ubuntu:
  New

Bug description:
  Please sync expat 2.2.0-1 (main) from Debian unstable (main)

  Explanation of the Ubuntu delta and why it can be dropped:
    * SECURITY UPDATE: unanticipated internal calls to srand
      - debian/patches/CVE-2012-6702-1.patch: remove srand, use more entropy
        in lib/xmlparse.c.
      - debian/patches/CVE-2012-6702-2.patch: use a prime that fits 32bits on
        32bit platforms in lib/xmlparse.c.
      - CVE-2012-6702
    * SECURITY UPDATE: use of too little entropy
      - debian/patches/CVE-2016-5300-1.patch: extract method
        gather_time_entropy in lib/xmlparse.c.
      - debian/patches/CVE-2016-5300-2.patch: extract entropy from XML_Parser
        address in lib/xmlparse.c.
      - CVE-2016-5300
    * SECURITY UPDATE: denial of service and possible code execution via
      malformed documents
      - debian/patches/CVE-2016-0718.patch: fix out of bounds memory access
        and integer overflow in lib/xmlparse.c, lib/xmltok.c, lib/xmltok.h,
        lib/xmltok_impl.c.
      - CVE-2016-0718
    * SECURITY UPDATE: integer overflows in XML_GetBuffer
      - debian/patches/CVE-2015-1283-refix.patch: improved existing fix in
        lib/xmlparse.c.
      - CVE-2015-1283

  Everything is part of Debian and the new upstream release.

  Changelog entries since current yakkety version 2.1.1-1ubuntu2:

  expat (2.2.0-1) unstable; urgency=low

    * New upstream release, update symbols accordingly.
    * Use upstream manpage for xmlwf.
    * Drop all patches as this release contains those.

   -- Laszlo Boszormenyi (GCS) <gcs at debian.org>  Tue, 21 Jun 2016
  15:29:58 +0000

  expat (2.1.1-3) unstable; urgency=high

    * Use upstream fix for the following security vulnerabilities:
      - CVE-2012-6702, unanticipated internal calls to srand
      - CVE-2016-5300, use of too little entropy

   -- Laszlo Boszormenyi (GCS) <gcs at debian.org>  Sun, 05 Jun 2016
  00:17:46 +0000

  expat (2.1.1-2) unstable; urgency=high

    * Avoid relying on undefined behavior in CVE-2015-1283 fix.
    * Apply upstream patch to fix the root cause of CVE-2016-0718 and
      CVE-2016-0719 vulnerabilities.
    * Update Standards-Version to 3.9.8 .

   -- Laszlo Boszormenyi (GCS) <gcs at debian.org>  Mon, 16 May 2016
  05:35:08 +0000

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/expat/+bug/1600717/+subscriptions

More information about the foundations-bugs mailing list