Expat contains a flaw in the handling XML files that may allow a remote denial of service. The issue is due to the 'updatePosition()' function in lib/xmltok_impl.c. With a specially crafted XML file containing malformed UTF-8 sequences, a context-dependent attacker can cause the service to crash.

Currently, there are no known workarounds or upgrades to correct this issue. However, a patch has been committed to the source code repository (e.g. GIT, CVS, SVN) that addresses this vulnerability. Until it is incorporated into the next release of the software, manually patching an existing installation is the only known available solution. Check the vendor links in the references section for more information.

• Vendor Specific News/Changelog Entry: https://lists.ubuntu.com/archives/ubuntu-security-announce/2010-April/001081.html http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmltok_impl.c?r1=1.13&r2=1.15&view=patch
  http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmltok_impl.c?view=log
  http://lists.fedoraproject.org/pipermail/package-announce/2010-November/051405.html
  http://lists.fedoraproject.org/pipermail/package-announce/2010-November/051442.html
  http://lists.fedoraproject.org/pipermail/package-announce/2011-April/059172.html
  http://lists.fedoraproject.org/pipermail/package-announce/2011-April/059176.html
  http://lists.fedoraproject.org/pipermail/package-announce/2011-March/055920.html
  http://lists.fedoraproject.org/pipermail/package-announce/2011-March/055925.html
  http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00004.html
  http://lists.opensuse.org/opensuse-security-announce/2010-05/msg00001.html
  http://lists.opensuse.org/opensuse-security-announce/2010-05/msg00002.html
  http://lists.opensuse.org/opensuse-security-announce/2010-06/msg00001.html
  http://lists.opensuse.org/opensuse-security-announce/2010-08/msg00001.html
  http://lists.opensuse.org/opensuse-security-announce/2010-08/msg00003.html
  http://lists.vmware.com/pipermail/security-announce/2010/000082.html
  http://slackware.com/security/viewer.php?l=slackware-security&y=2011&m=slackware-security.486026
  http://sourceforge.net/tracker/index.php?func=detail&aid=1990430&group_id=10127&atid=110127
  http://svn.python.org/view?view=rev&revision=74429
  http://www-01.ibm.com/support/docview.wss?uid=swg1PM24234
  http://www.apache.org/dist/httpd/Announcement2.2.html
  http://www.apache.org/dist/httpd/CHANGES_2.2.17
  http://www.gentoo.org/security/en/glsa/glsa-201209-06.xml
  https://bugs.gentoo.org/show_bug.cgi?id=280615
  https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00370.html
  https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00394.html
  https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00413.html
  https://www.redhat.com/archives/fedora-package-announce/2009-December/msg01274.html
  https://www.redhat.com/archives/fedora-package-announce/2009-November/msg00067.html
  https://www.redhat.com/archives/fedora-package-announce/2009-November/msg00079.html
  https://www.redhat.com/archives/fedora-package-announce/2009-November/msg00106.html
  https://www.redhat.com/archives/fedora-package-announce/2009-November/msg00137.html
  https://www.redhat.com/archives/fedora-package-announce/2009-November/msg00174.html
  https://www.redhat.com/archives/fedora-package-announce/2009-November/msg00175.html
• CVE ID: 2009-3720 (see also: NVD)
• Secunia Advisory ID: 37211 37234 37245 37307 37324 37537 37561 37593 37925 38050 38074 38152 38231 38291 38318 38324 38331 38332 38442 38642 38794 38832 38834 39478 39771 39967 40167 40855 41011 41701 41811 42231 42326 42338 43300 43787 43991 44434 44461 44474 46041 47608 47758 50695
• Vendor URL: http://expat.sourceforge.net/
• Vendor Specific Solution URL: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02752210
• Vendor Specific Advisory URL: http://lists.fedoraproject.org/pipermail/package-announce/2010-November/051228.html
  http://lists.fedoraproject.org/pipermail/package-announce/2010-November/051247.html
  http://lists.opensuse.org/opensuse-security-announce/2010-01/msg00002.html
  http://support.avaya.com/css/P8/documents/100071807
  http://support.avaya.com/css/P8/documents/100072379
  http://www.apache.org/dist/apr/CHANGES-APR-UTIL-1.3
  http://www.ubuntu.com/usn/USN-890-1
  http://www.ubuntu.com/usn/USN-890-2
  http://www.ubuntu.com/usn/USN-890-3
  http://www.ubuntu.com/usn/USN-890-4
  http://www.ubuntu.com/usn/USN-890-5
  http://www.us.debian.org/security/2010/dsa-1977
  http://www.vmware.com/security/advisories/VMSA-2012-0001.html
  https://kb.bluecoat.com/index?page=content&id=SA61
  https://kb.bluecoat.com/index?page=content&id=SA62
  https://kb.bluecoat.com/index?page=content&id=SA63
• Other Advisory URL: http://mail.python.org/pipermail/expat-bugs/2009-January/002781.html
  http://sunsolve.sun.com/search/document.do?assetkey=1-66-273630-1
  http://www.mandriva.com/security/advisories?name=MDVSA-2009:211
  http://www.openwall.com/lists/oss-security/2009/08/21/2
  http://www.openwall.com/lists/oss-security/2009/08/26/3
  http://www.openwall.com/lists/oss-security/2009/08/26/4
  http://www.openwall.com/lists/oss-security/2009/08/27/6
  http://www.openwall.com/lists/oss-security/2009/09/06/1
  http://www.openwall.com/lists/oss-security/2009/10/22/5
  http://www.openwall.com/lists/oss-security/2009/10/22/9
  http://www.openwall.com/lists/oss-security/2009/10/23/2
  http://www.openwall.com/lists/oss-security/2009/10/23/6
  http://www.openwall.com/lists/oss-security/2009/10/26/3
  http://www.openwall.com/lists/oss-security/2009/10/28/3
  http://www.python.org/download/releases/2.5.5/NEWS.txt
• RedHat RHSA: http://rhn.redhat.com/errata/RHSA-2009-1572.html
  http://rhn.redhat.com/errata/RHSA-2009-1625.html
  https://rhn.redhat.com/errata/RHSA-2010-0002.html
  https://rhn.redhat.com/errata/RHSA-2011-0491.html
  https://rhn.redhat.com/errata/RHSA-2011-0492.html
• Mail List Post: http://seclists.org/bugtraq/2011/Apr/9

• Peter Valchev