FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-03-27 18:04:16 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
e375ff3f-7fec-11e8-8088-28d244aee256expat -- multiple vulnerabilities

Mitre reports:

An integer overflow during the parsing of XML using the Expat library.

XML External Entity vulnerability in libexpat 2.2.0 and earlier (Expat XML Parser Library) allows attackers to put the parser in an infinite loop using a malformed external entity definition from an external DTD.


Discovery 2016-10-27
Entry 2018-07-05
expat
< 2.2.1

libwww
< 5.4.2

CVE-2016-9063
CVE-2017-9233
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9063
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9233
https://libexpat.github.io/doc/cve-2017-9233/
c5bd8a25-99a6-11e9-a598-f079596b62f9expat2 -- Fix extraction of namespace prefixes from XML names

expat project reports:

XML names with multiple colons could end up in the wrong namespace, and take a high amount of RAM and CPU resources while processing, opening the door to use for denial-of-service attacks


Discovery 2019-06-19
Entry 2019-09-16
expat
< 2.2.7

https://github.com/libexpat/libexpat/blob/R_2_2_7/expat/Changes
5fa90ee6-bc9e-11eb-a287-e0d55e2a8bf9texproc/expat2 -- billion laugh attack

Kurt Seifried reports:

So here are the CVE's for the two big ones, libxml2 and expat. Both are affected by the expansion of internal entities (which can be used to consume resources) and external entities (which can cause a denial of service against other services, be used to port scan, etc.).

A billion laughs attack is a type of denial-of-service attack which is aimed at parsers of XML documents.


Discovery 2013-02-21
Entry 2021-05-24
expat
< 2.4.1

CVE-2013-0340
https://www.openwall.com/lists/oss-security/2013/02/22/3
https://blog.hartwork.org/posts/cve-2013-0340-billion-laughs-fixed-in-expat-2-4-0/
https://nvd.nist.gov/vuln/detail/CVE-2013-0340
ff76f0e0-3f11-11e6-b3c8-14dae9d210b8expat2 -- denial of service

Adam Maris reports:

It was found that original patch for issues CVE-2015-1283 and CVE-2015-2716 used overflow checks that could be optimized out by some compilers applying certain optimization settings, which can cause the vulnerability to remain even after applying the patch.


Discovery 2016-06-09
Entry 2016-06-30
Modified 2016-11-30
expat
< 2.1.1_2

https://bugzilla.redhat.com/show_bug.cgi?id=1344251
CVE-2016-4472
0a0670a1-3e1a-11ed-b48b-e0d55e2a8bf9expat -- Heap use-after-free vulnerability

Debian Security Advisory reports:

Rhodri James discovered a heap use-after-free vulnerability in the doContent function in Expat, an XML parsing C library, which could result in denial of service or potentially the execution of arbitrary code, if a malformed XML file is processed.


Discovery 2022-09-14
Entry 2022-09-27
expat
< 2.4.9

CVE-2022-40674
https://www.debian.org/security/2022/dsa-5236
https://nvd.nist.gov/vuln/detail/CVE-2022-40674
57b3aba7-1e25-11e6-8dd3-002590263bf5expat -- denial of service vulnerability on malformed input

Gustavo Grieco reports:

The Expat XML parser mishandles certain kinds of malformed input documents, resulting in buffer overflows during processing and error reporting. The overflows can manifest as a segmentation fault or as memory corruption during a parse operation. The bugs allow for a denial of service attack in many applications by an unauthenticated attacker, and could conceivably result in remote code execution.


Discovery 2016-05-17
Entry 2016-05-20
Modified 2016-11-30
expat
< 2.1.1

linux-c6-expat
< 2.0.1_3

linux-c7-expat
< 2.1.0_1

CVE-2016-0718
ports/209360
http://www.openwall.com/lists/oss-security/2016/05/17/12
c9c252f5-2def-11e6-ae88-002590263bf5expat -- multiple vulnerabilities

Sebastian Pipping reports:

CVE-2012-6702 -- Resolve troublesome internal call to srand that was introduced with Expat 2.1.0 when addressing CVE-2012-0876 (issue #496)

CVE-2016-5300 -- Use more entropy for hash initialization than the original fix to CVE-2012-0876.


Discovery 2016-03-18
Entry 2016-06-09
Modified 2016-11-06
expat
< 2.1.1_1

CVE-2012-6702
CVE-2016-5300
ports/210155
https://sourceforge.net/p/expat/code_git/ci/07cc2fcacf81b32b2e06aa918df51756525240c0/
http://www.openwall.com/lists/oss-security/2016/03/18/3
6856d798-d950-11e9-aae4-f079596b62f9expat2 -- Fix extraction of namespace prefixes from XML names

expat project reports:

Fix heap overflow triggered by XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber), and deny internal entities closing the doctype


Discovery 2019-09-13
Entry 2019-09-17
expat
< 2.2.8

https://github.com/libexpat/libexpat/blob/R_2_2_8/expat/Changes