CVE-2013-0340

Publication date 21 January 2014

Last updated 24 July 2024


Ubuntu priority

expat 2.1.0 and earlier does not properly handle entities expansion unless an application developer uses the XML_SetEntityDeclHandler function, which allows remote attackers to cause a denial of service (resource consumption), send HTTP requests to intranet servers, or read arbitrary files via a crafted XML document, aka an XML External Entity (XXE) issue. NOTE: it could be argued that because expat already provides the ability to disable external entity expansion, the responsibility for resolving this issue lies with application developers; according to this argument, this entry should be REJECTed, and each affected application would need its own CVE.

Read the notes from the security team

Status

Package Ubuntu Release Status
apache2 13.04 raring Ignored end of life
12.10 quantal Ignored end of life
12.04 LTS precise Ignored end of life
11.10 oneiric Ignored end of life
10.04 LTS lucid Ignored end of life
8.04 LTS hardy Ignored end of life
apr-util 13.04 raring Ignored end of life
12.10 quantal Ignored end of life
12.04 LTS precise Ignored end of life
11.10 oneiric Ignored end of life
10.04 LTS lucid Ignored end of life
8.04 LTS hardy Ignored end of life
audacity 13.04 raring Ignored
12.10 quantal Ignored
12.04 LTS precise Ignored
11.10 oneiric Ignored end of life
10.04 LTS lucid Ignored
8.04 LTS hardy Ignored end of life
ayttm 13.04 raring Ignored
12.10 quantal Ignored
12.04 LTS precise Ignored
11.10 oneiric Ignored end of life
10.04 LTS lucid Ignored
8.04 LTS hardy Ignored end of life
cableswig 13.04 raring Ignored
12.10 quantal Ignored
12.04 LTS precise Ignored
11.10 oneiric Ignored end of life
10.04 LTS lucid Ignored
8.04 LTS hardy Ignored end of life
cadaver 13.04 raring Ignored
12.10 quantal Ignored
12.04 LTS precise Ignored
11.10 oneiric Ignored end of life
10.04 LTS lucid Ignored
8.04 LTS hardy Ignored end of life
celementtree 13.04 raring Not in release
12.10 quantal Not in release
12.04 LTS precise Not in release
11.10 oneiric Not in release
10.04 LTS lucid Not in release
8.04 LTS hardy Ignored end of life
cmake 13.04 raring Ignored end of life
12.10 quantal Ignored end of life
12.04 LTS precise Ignored end of life
11.10 oneiric Ignored end of life
10.04 LTS lucid Ignored end of life
8.04 LTS hardy Ignored end of life
coin3 13.04 raring Ignored
12.10 quantal Ignored
12.04 LTS precise Ignored
11.10 oneiric Ignored end of life
10.04 LTS lucid Ignored
8.04 LTS hardy Not in release
expat 13.04 raring Ignored
12.10 quantal Ignored
12.04 LTS precise Ignored
11.10 oneiric Ignored
10.04 LTS lucid Ignored
8.04 LTS hardy Ignored
gdcm 13.04 raring Ignored
12.10 quantal Ignored
12.04 LTS precise Ignored
11.10 oneiric Ignored end of life
10.04 LTS lucid Ignored
8.04 LTS hardy Not in release
ghostscript 13.04 raring Ignored end of life
12.10 quantal Ignored end of life
12.04 LTS precise Ignored end of life
11.10 oneiric Ignored end of life
10.04 LTS lucid Ignored end of life
8.04 LTS hardy Ignored end of life
grmonitor 13.04 raring Not in release
12.10 quantal Not in release
12.04 LTS precise Not in release
11.10 oneiric Not in release
10.04 LTS lucid Not in release
8.04 LTS hardy Ignored end of life
insighttoolkit 13.04 raring Ignored
12.10 quantal Ignored
12.04 LTS precise Ignored
11.10 oneiric Ignored end of life
10.04 LTS lucid Ignored
8.04 LTS hardy Ignored end of life
kompozer 13.04 raring Not in release
12.10 quantal Not in release
12.04 LTS precise Ignored
11.10 oneiric Ignored end of life
10.04 LTS lucid Ignored
8.04 LTS hardy Ignored end of life
libparagui1.1 13.04 raring Not in release
12.10 quantal Not in release
12.04 LTS precise Ignored
11.10 oneiric Ignored end of life
10.04 LTS lucid Ignored
8.04 LTS hardy Ignored end of life
matanza 13.04 raring Ignored
12.10 quantal Ignored
12.04 LTS precise Ignored
11.10 oneiric Ignored end of life
10.04 LTS lucid Ignored
8.04 LTS hardy Ignored end of life
paraview 13.04 raring Ignored
12.10 quantal Ignored
12.04 LTS precise Ignored
11.10 oneiric Ignored end of life
10.04 LTS lucid Ignored end of life
8.04 LTS hardy Not in release
poco 13.04 raring Ignored
12.10 quantal Ignored
12.04 LTS precise Ignored
11.10 oneiric Ignored end of life
10.04 LTS lucid Ignored
8.04 LTS hardy Ignored end of life
python-xml 13.04 raring Not in release
12.10 quantal Not in release
12.04 LTS precise Not in release
11.10 oneiric Not in release
10.04 LTS lucid Not in release
8.04 LTS hardy Ignored end of life
python2.4 13.04 raring Not in release
12.10 quantal Not in release
12.04 LTS precise Not in release
11.10 oneiric Not in release
10.04 LTS lucid Not in release
8.04 LTS hardy Ignored
python2.5 13.04 raring Not in release
12.10 quantal Not in release
12.04 LTS precise Not in release
11.10 oneiric Not in release
10.04 LTS lucid Not in release
8.04 LTS hardy Ignored
python2.6 13.04 raring Not in release
12.10 quantal Not in release
12.04 LTS precise Not in release
11.10 oneiric Ignored end of life
10.04 LTS lucid Ignored end of life
8.04 LTS hardy Not in release
simgear 13.04 raring Ignored
12.10 quantal Ignored
12.04 LTS precise Ignored
11.10 oneiric Ignored end of life
10.04 LTS lucid Ignored
8.04 LTS hardy Ignored end of life
sitecopy 13.04 raring Ignored
12.10 quantal Ignored
12.04 LTS precise Ignored
11.10 oneiric Ignored end of life
10.04 LTS lucid Ignored
8.04 LTS hardy Ignored end of life
smart 13.04 raring Ignored end of life
12.10 quantal Ignored end of life
12.04 LTS precise Ignored end of life
11.10 oneiric Ignored end of life
10.04 LTS lucid Ignored end of life
8.04 LTS hardy Ignored end of life
swish-e 13.04 raring Ignored
12.10 quantal Ignored
12.04 LTS precise Ignored
11.10 oneiric Ignored end of life
10.04 LTS lucid Ignored
8.04 LTS hardy Ignored end of life
tdom 13.04 raring Ignored
12.10 quantal Ignored
12.04 LTS precise Ignored
11.10 oneiric Ignored end of life
10.04 LTS lucid Ignored
8.04 LTS hardy Not in release
texlive-bin 13.04 raring Ignored end of life
12.10 quantal Ignored end of life
12.04 LTS precise Ignored end of life
11.10 oneiric Ignored end of life
10.04 LTS lucid Ignored end of life
8.04 LTS hardy Ignored end of life
tla 13.04 raring Ignored
12.10 quantal Ignored
12.04 LTS precise Ignored
11.10 oneiric Ignored end of life
10.04 LTS lucid Ignored
8.04 LTS hardy Ignored end of life
vnc4 13.04 raring Ignored
12.10 quantal Ignored
12.04 LTS precise Ignored
11.10 oneiric Ignored end of life
10.04 LTS lucid Ignored
8.04 LTS hardy Ignored end of life
vtk 13.04 raring Ignored
12.10 quantal Ignored
12.04 LTS precise Ignored
11.10 oneiric Ignored end of life
10.04 LTS lucid Ignored
8.04 LTS hardy Ignored end of life
w3c-libwww 13.04 raring Not in release
12.10 quantal Not in release
12.04 LTS precise Not in release
11.10 oneiric Not in release
10.04 LTS lucid Not in release
8.04 LTS hardy Ignored end of life
wbxml2 13.04 raring Ignored
12.10 quantal Ignored
12.04 LTS precise Ignored
11.10 oneiric Ignored end of life
10.04 LTS lucid Ignored
8.04 LTS hardy Ignored end of life
wxwidgets2.6 13.04 raring Not in release
12.10 quantal Not in release
12.04 LTS precise Ignored
11.10 oneiric Ignored end of life
10.04 LTS lucid Ignored
8.04 LTS hardy Ignored end of life
wxwidgets2.8 13.04 raring Ignored
12.10 quantal Ignored
12.04 LTS precise Ignored
11.10 oneiric Ignored end of life
10.04 LTS lucid Ignored
8.04 LTS hardy Ignored end of life
wxwindows2.4 13.04 raring Not in release
12.10 quantal Not in release
12.04 LTS precise Not in release
11.10 oneiric Not in release
10.04 LTS lucid Not in release
8.04 LTS hardy Ignored end of life
xmlrpc-c 13.04 raring Ignored
12.10 quantal Ignored
12.04 LTS precise Ignored
11.10 oneiric Ignored
10.04 LTS lucid Ignored end of life
8.04 LTS hardy Ignored end of life
xotcl 13.04 raring Ignored
12.10 quantal Ignored
12.04 LTS precise Ignored
11.10 oneiric Ignored end of life
10.04 LTS lucid Ignored
8.04 LTS hardy Not in release
xulrunner 13.04 raring Not in release
12.10 quantal Not in release
12.04 LTS precise Not in release
11.10 oneiric Not in release
10.04 LTS lucid Not in release
8.04 LTS hardy Ignored end of life

Notes


jdstrand

PoC in oss-sec no upstream commits as of 2013-03-21. Contacted upstream on their (possibly moderated) expat-bugs mailing list since their bug tracker was down still no commits or upstream comments as of 2013-04-23


mdeslaur

Expat does not read or parse external entities directly, it is up to applications to do so. http://seclists.org/oss-sec/2013/q2/78 marking as ignored, application-specific CVEs should be assigned to individual applications.


seth-arnold

upstream libexpat has introduced heuristics in 2.4.0 to limit the damage due to various entity expansion issues. These fixes won't be backported to previous releases due to the risk of regression due to the size, complexity, and new APIs.