Package | expat |
---|---|
Version | 2.1.0-6+deb8u12 (jessie), 2.2.0-2+deb9u9 (stretch), 2.2.6-2+deb10u8 (buster) |
Related CVEs | CVE-2024-45490 CVE-2024-45491 CVE-2024-45492 |
Multiple vulnerabilities were found in expat, an XML parsing C library, which could lead to Denial of Service, memory corruption or arbitrary code execution.
-
CVE-2024-45490: TaiYou discovered that xmlparse.c does not reject a negative length for
XML_ParseBuffer()
, which may cause memory corruption or code execution. -
CVE-2024-45491: TaiYou discovered that xmlparse.c has an integer overflow for
nDefaultAtts
on 32-bit platforms, which may cause denial of service or code execution. -
CVE-2024-45492: TaiYou discovered that xmlparse.c has an integer overflow for
m_groupSize
on 32-bit platforms, which may cause denial of service or code execution.
For Debian 10 buster, these problems have been fixed in version 2.2.6-2+deb10u8.
For Debian 8 jessie, these problems have been fixed in version 2.1.0-6+deb8u12.
For Debian 9 stretch, these problems have been fixed in version 2.2.0-2+deb9u9.
We recommend that you upgrade your expat packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.