Source: expat
Version: 2.8.1-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi Laszlo

Sorry more CVEs ssues for expat. I'm not going to fill individual ones
for this batch, as the main purpose is to track the new ones for
unstable, affecting 2.8.1 and to be fixed in 2.8.2 when released.

The following vulnerabilities were published for expat.

CVE-2026-56403[0]:
| libexpat before 2.8.2 has an integer overflow in storeAtts.


CVE-2026-56404[1]:
| libexpat before 2.8.2 has an integer overflow in addBinding.


CVE-2026-56405[2]:
| libexpat before 2.8.2 has an integer overflow in getAttributeId.


CVE-2026-56406[3]:
| libexpat before 2.8.2 has an integer overflow in XML_ParseBuffer
| because it lacked a check that was present in XML_Parse.


CVE-2026-56407[4]:
| libexpat before 2.8.2 has an integer overflow in doProlog that is
| related to storeEntityValue and entity textLen.


CVE-2026-56408[5]:
| libexpat before 2.8.2 has an integer overflow in copyString.


CVE-2026-56409[6]:
| xmlwf in libexpat before 2.8.2 has an integer overflow for the
| output filename when -d outputDir is used.


CVE-2026-56410[7]:
| xmlwf in libexpat before 2.8.2 has an integer overflow in
| resolveSystemId.


CVE-2026-56411[8]:
| xmlwf in libexpat before 2.8.2 has an integer overflow in
| endDoctypeDecl via NOTATION declarations.


CVE-2026-56412[9]:
| libexpat before 2.8.2 does not consider XML_TOK_DATA_CHARS in
| doCdataSection and thus lacks handler call depth tracking for
| various calls from within handlers in cases of a policy violation.
| Thus, a use-after-free can occur. NOTE: this issue exists because of
| an incomplete fix for CVE-2026-50219.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-56403
    https://www.cve.org/CVERecord?id=CVE-2026-56403
[1] https://security-tracker.debian.org/tracker/CVE-2026-56404
    https://www.cve.org/CVERecord?id=CVE-2026-56404
[2] https://security-tracker.debian.org/tracker/CVE-2026-56405
    https://www.cve.org/CVERecord?id=CVE-2026-56405
[3] https://security-tracker.debian.org/tracker/CVE-2026-56406
    https://www.cve.org/CVERecord?id=CVE-2026-56406
[4] https://security-tracker.debian.org/tracker/CVE-2026-56407
    https://www.cve.org/CVERecord?id=CVE-2026-56407
[5] https://security-tracker.debian.org/tracker/CVE-2026-56408
    https://www.cve.org/CVERecord?id=CVE-2026-56408
[6] https://security-tracker.debian.org/tracker/CVE-2026-56409
    https://www.cve.org/CVERecord?id=CVE-2026-56409
[7] https://security-tracker.debian.org/tracker/CVE-2026-56410
    https://www.cve.org/CVERecord?id=CVE-2026-56410
[8] https://security-tracker.debian.org/tracker/CVE-2026-56411
    https://www.cve.org/CVERecord?id=CVE-2026-56411
[9] https://security-tracker.debian.org/tracker/CVE-2026-56412
    https://www.cve.org/CVERecord?id=CVE-2026-56412

References to pull requests upstream are on the respective
security-tracker pages.

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Reply via email to