Source: expat Version: 2.8.1-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi Laszlo Sorry more CVEs ssues for expat. I'm not going to fill individual ones for this batch, as the main purpose is to track the new ones for unstable, affecting 2.8.1 and to be fixed in 2.8.2 when released. The following vulnerabilities were published for expat. CVE-2026-56403[0]: | libexpat before 2.8.2 has an integer overflow in storeAtts. CVE-2026-56404[1]: | libexpat before 2.8.2 has an integer overflow in addBinding. CVE-2026-56405[2]: | libexpat before 2.8.2 has an integer overflow in getAttributeId. CVE-2026-56406[3]: | libexpat before 2.8.2 has an integer overflow in XML_ParseBuffer | because it lacked a check that was present in XML_Parse. CVE-2026-56407[4]: | libexpat before 2.8.2 has an integer overflow in doProlog that is | related to storeEntityValue and entity textLen. CVE-2026-56408[5]: | libexpat before 2.8.2 has an integer overflow in copyString. CVE-2026-56409[6]: | xmlwf in libexpat before 2.8.2 has an integer overflow for the | output filename when -d outputDir is used. CVE-2026-56410[7]: | xmlwf in libexpat before 2.8.2 has an integer overflow in | resolveSystemId. CVE-2026-56411[8]: | xmlwf in libexpat before 2.8.2 has an integer overflow in | endDoctypeDecl via NOTATION declarations. CVE-2026-56412[9]: | libexpat before 2.8.2 does not consider XML_TOK_DATA_CHARS in | doCdataSection and thus lacks handler call depth tracking for | various calls from within handlers in cases of a policy violation. | Thus, a use-after-free can occur. NOTE: this issue exists because of | an incomplete fix for CVE-2026-50219. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-56403 https://www.cve.org/CVERecord?id=CVE-2026-56403 [1] https://security-tracker.debian.org/tracker/CVE-2026-56404 https://www.cve.org/CVERecord?id=CVE-2026-56404 [2] https://security-tracker.debian.org/tracker/CVE-2026-56405 https://www.cve.org/CVERecord?id=CVE-2026-56405 [3] https://security-tracker.debian.org/tracker/CVE-2026-56406 https://www.cve.org/CVERecord?id=CVE-2026-56406 [4] https://security-tracker.debian.org/tracker/CVE-2026-56407 https://www.cve.org/CVERecord?id=CVE-2026-56407 [5] https://security-tracker.debian.org/tracker/CVE-2026-56408 https://www.cve.org/CVERecord?id=CVE-2026-56408 [6] https://security-tracker.debian.org/tracker/CVE-2026-56409 https://www.cve.org/CVERecord?id=CVE-2026-56409 [7] https://security-tracker.debian.org/tracker/CVE-2026-56410 https://www.cve.org/CVERecord?id=CVE-2026-56410 [8] https://security-tracker.debian.org/tracker/CVE-2026-56411 https://www.cve.org/CVERecord?id=CVE-2026-56411 [9] https://security-tracker.debian.org/tracker/CVE-2026-56412 https://www.cve.org/CVERecord?id=CVE-2026-56412 References to pull requests upstream are on the respective security-tracker pages. Please adjust the affected versions in the BTS as needed. Regards, Salvatore

