Out-of-bounds read in libexpat expat

1) Out-of-bounds read

EUVDB-ID: #VU31845

Risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2009-3720

CWE-ID: CWE-125 - Out-of-bounds read

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform denial of service (DoS) attack.

The vulnerability exists due to a boundary condition when processing an XML document with crafted UTF-8 sequences that trigger a buffer over-read, a different vulnerability than CVE-2009-2625 within the The updatePosition function in lib/xmltok_impl.c in libexpat in Expat 2.0.1, as used. A remote attacker can create a specially crafted file, pass it to the application, trigger out-of-bounds read error and crash the affected application.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

expat: 11.0.5

CPE2.3

• cpe:2.3:a:libexpat_org:libexpat:11.0.5:*:*:*:*:*:*:*

External links

https://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmltok_impl.c?r1=1.13&r2=1.15&view=patch
https://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmltok_impl.c?view=log
https://lists.fedoraproject.org/pipermail/package-announce/2010-November/051228.html
https://lists.fedoraproject.org/pipermail/package-announce/2010-November/051247.html
https://lists.fedoraproject.org/pipermail/package-announce/2010-November/051367.html
https://lists.fedoraproject.org/pipermail/package-announce/2010-November/051405.html
https://lists.fedoraproject.org/pipermail/package-announce/2010-November/051442.html
https://lists.opensuse.org/opensuse-security-announce/2009-11/msg00004.html
https://lists.opensuse.org/opensuse-security-announce/2010-05/msg00001.html
https://lists.opensuse.org/opensuse-security-announce/2010-05/msg00002.html
https://lists.opensuse.org/opensuse-security-announce/2010-06/msg00001.html
https://lists.opensuse.org/opensuse-security-announce/2010-08/msg00001.html
https://lists.vmware.com/pipermail/security-announce/2010/000082.html
https://mail.python.org/pipermail/expat-bugs/2009-January/002781.html
https://marc.info/?l=bugtraq&m=130168502603566&w=2
https://secunia.com/advisories/37324
https://secunia.com/advisories/37537
https://secunia.com/advisories/37925
https://secunia.com/advisories/38050
https://secunia.com/advisories/38231
https://secunia.com/advisories/38794
https://secunia.com/advisories/38832
https://secunia.com/advisories/38834
https://secunia.com/advisories/39478
https://secunia.com/advisories/41701
https://secunia.com/advisories/42326
https://secunia.com/advisories/42338
https://secunia.com/advisories/43300
https://slackware.com/security/viewer.php?l=slackware-security&y=2011&m=slackware-security.486026
https://sourceforge.net/tracker/index.php?func=detail&aid=1990430&group_id=10127&atid=110127
https://sunsolve.sun.com/search/document.do?assetkey=1-66-273630-1
https://svn.python.org/view?view=rev&revision=74429
https://www.mandriva.com/security/advisories?name=MDVSA-2009:211
https://www.mandriva.com/security/advisories?name=MDVSA-2009:212
https://www.mandriva.com/security/advisories?name=MDVSA-2009:215
https://www.mandriva.com/security/advisories?name=MDVSA-2009:216
https://www.mandriva.com/security/advisories?name=MDVSA-2009:217
https://www.mandriva.com/security/advisories?name=MDVSA-2009:218
https://www.mandriva.com/security/advisories?name=MDVSA-2009:219
https://www.mandriva.com/security/advisories?name=MDVSA-2009:220
https://www.openwall.com/lists/oss-security/2009/08/21/2
https://www.openwall.com/lists/oss-security/2009/08/26/3
https://www.openwall.com/lists/oss-security/2009/08/26/4
https://www.openwall.com/lists/oss-security/2009/08/27/6
https://www.openwall.com/lists/oss-security/2009/09/06/1
https://www.openwall.com/lists/oss-security/2009/10/22/5
https://www.openwall.com/lists/oss-security/2009/10/22/9
https://www.openwall.com/lists/oss-security/2009/10/23/2
https://www.openwall.com/lists/oss-security/2009/10/23/6
https://www.openwall.com/lists/oss-security/2009/10/26/3
https://www.openwall.com/lists/oss-security/2009/10/28/3
https://www.redhat.com/support/errata/RHSA-2010-0002.html
https://www.redhat.com/support/errata/RHSA-2011-0896.html
https://www.securitytracker.com/id?1023160
https://www.ubuntu.com/usn/USN-890-1
https://www.ubuntu.com/usn/USN-890-6
https://www.vupen.com/english/advisories/2010/0528
https://www.vupen.com/english/advisories/2010/0896
https://www.vupen.com/english/advisories/2010/1107
https://www.vupen.com/english/advisories/2010/3035
https://www.vupen.com/english/advisories/2010/3053
https://www.vupen.com/english/advisories/2010/3061
https://www.vupen.com/english/advisories/2011/0359
https://bugs.gentoo.org/show_bug.cgi?id=280615
https://bugzilla.redhat.com/show_bug.cgi?id=531697
https://lists.apache.org/thread.html/54a42d4b01968df1117cea77fc53d6beb931c0e05936ad02af93e9ac@%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/5df9bfb86a3b054bb985a45ff9250b0332c9ecc181eec232489e7f79@%3Ccvs.httpd.apache.org%3E
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11019
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12719
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7112
https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00370.html
https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00413.html
https://www.redhat.com/archives/fedora-package-announce/2009-December/msg01274.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.