From nickmacd at gmail.com  Fri Nov  6 03:43:54 2009
From: nickmacd at gmail.com (Nick MacDonald)
Date: Thu, 5 Nov 2009 21:43:54 -0500
Subject: [Expat-discuss] Anyone know about the recent security issue in
	eXpat?
Message-ID: <bdcd32c90911051843k293d70f4y4c847c300e3ca9f9@mail.gmail.com>

Anyone know anything about this, and what the change is, and if there
will be an update from 2.0.1 to 2.0.2 or similar?


http://seclists.org/fulldisclosure/2009/Oct/344

Peter Valchev discovered an error in expat, an XML parsing C library,
when parsing certain UTF-8 sequences, which can be exploited to crash an
application using the library.

From rschiele at gmail.com  Fri Nov  6 18:45:07 2009
From: rschiele at gmail.com (Robert Schiele)
Date: Fri, 6 Nov 2009 18:45:07 +0100
Subject: [Expat-discuss] Anyone know about the recent security issue
	in	eXpat?
In-Reply-To: <bdcd32c90911051843k293d70f4y4c847c300e3ca9f9@mail.gmail.com>
References: <bdcd32c90911051843k293d70f4y4c847c300e3ca9f9@mail.gmail.com>
Message-ID: <20091106174506.GA18168@sigfpe.ibm.com>

On Thu, Nov 05, 2009 at 09:43:54PM -0500, Nick MacDonald wrote:
> Anyone know anything about this, and what the change is, and if there

The fix is in CVS:
http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmltok_impl.c?r1=1.13&r2=1.15

Robert

-- 
Robert Schiele
Dipl.-Wirtsch.informatiker	mailto:rschiele at gmail.com

"Quidquid latine dictum sit, altum sonatur."
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://mail.libexpat.org/pipermail/expat-discuss/attachments/20091106/fceec7c8/attachment.pgp>

From karl at waclawek.net  Fri Nov  6 19:16:11 2009
From: karl at waclawek.net (Karl Waclawek)
Date: Fri, 06 Nov 2009 13:16:11 -0500
Subject: [Expat-discuss] Anyone know about the recent security issue	in
 eXpat?
In-Reply-To: <20091106174506.GA18168@sigfpe.ibm.com>
References: <bdcd32c90911051843k293d70f4y4c847c300e3ca9f9@mail.gmail.com>
	<20091106174506.GA18168@sigfpe.ibm.com>
Message-ID: <4AF467EB.30606@waclawek.net>

Robert Schiele wrote:
> On Thu, Nov 05, 2009 at 09:43:54PM -0500, Nick MacDonald wrote:
>   
>> Anyone know anything about this, and what the change is, and if there
>>     
>
> The fix is in CVS:
> http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmltok_impl.c?r1=1.13&r2=1.15
>
>   

Thanks. Now I know which bug was the "big security threat": 1990430

Karl