CVE-2019-15903
Publication date 4 September 2019
Last updated 24 July 2024
Ubuntu priority
Cvss 3 Severity Score
In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early; a consecutive call to XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber) then resulted in a heap-based buffer over-read.
Status
Package | Ubuntu Release | Status |
---|---|---|
apache2 | 24.10 oracular |
Not affected
|
24.04 LTS noble |
Not affected
|
|
22.04 LTS jammy |
Not affected
|
|
20.04 LTS focal |
Not affected
|
|
18.04 LTS bionic |
Not affected
|
|
16.04 LTS xenial |
Not affected
|
|
14.04 LTS trusty |
Not affected
|
|
apr-util | 24.10 oracular |
Not affected
|
24.04 LTS noble |
Not affected
|
|
22.04 LTS jammy |
Not affected
|
|
20.04 LTS focal |
Not affected
|
|
18.04 LTS bionic |
Not affected
|
|
16.04 LTS xenial |
Not affected
|
|
14.04 LTS trusty |
Not affected
|
|
audacity | 24.10 oracular |
Needs evaluation
|
24.04 LTS noble |
Needs evaluation
|
|
22.04 LTS jammy |
Not affected
|
|
20.04 LTS focal |
Not affected
|
|
18.04 LTS bionic |
Not affected
|
|
16.04 LTS xenial |
Not affected
|
|
14.04 LTS trusty | Not in release | |
ayttm | 24.10 oracular | Not in release |
24.04 LTS noble | Not in release | |
22.04 LTS jammy | Not in release | |
20.04 LTS focal | Not in release | |
18.04 LTS bionic | Not in release | |
16.04 LTS xenial |
Needs evaluation
|
|
14.04 LTS trusty | Not in release | |
cableswig | 24.10 oracular | Not in release |
24.04 LTS noble | Not in release | |
22.04 LTS jammy | Not in release | |
20.04 LTS focal | Not in release | |
18.04 LTS bionic | Not in release | |
16.04 LTS xenial |
Needs evaluation
|
|
14.04 LTS trusty | Not in release | |
cadaver | 24.10 oracular |
Needs evaluation
|
24.04 LTS noble |
Needs evaluation
|
|
22.04 LTS jammy |
Needs evaluation
|
|
20.04 LTS focal |
Needs evaluation
|
|
18.04 LTS bionic |
Needs evaluation
|
|
16.04 LTS xenial |
Needs evaluation
|
|
14.04 LTS trusty | Not in release | |
chromium-browser | 24.10 oracular |
Fixed 78.0.3904.70-0ubuntu1
|
24.04 LTS noble |
Fixed 78.0.3904.70-0ubuntu1
|
|
22.04 LTS jammy |
Fixed 78.0.3904.70-0ubuntu1
|
|
20.04 LTS focal |
Fixed 78.0.3904.70-0ubuntu1
|
|
18.04 LTS bionic |
Fixed 78.0.3904.70-0ubuntu0.18.04.2
|
|
16.04 LTS xenial |
Fixed 78.0.3904.70-0ubuntu0.16.04.2
|
|
14.04 LTS trusty | Not in release | |
cmake | 24.10 oracular |
Not affected
|
24.04 LTS noble |
Not affected
|
|
22.04 LTS jammy |
Not affected
|
|
20.04 LTS focal |
Not affected
|
|
18.04 LTS bionic |
Not affected
|
|
16.04 LTS xenial |
Not affected
|
|
14.04 LTS trusty | Not in release | |
coin3 | 24.10 oracular |
Not affected
|
24.04 LTS noble |
Not affected
|
|
22.04 LTS jammy |
Not affected
|
|
20.04 LTS focal |
Not affected
|
|
18.04 LTS bionic |
Vulnerable
|
|
16.04 LTS xenial |
Vulnerable
|
|
14.04 LTS trusty | Ignored end of ESM support, was needed | |
expat | 24.10 oracular |
Not affected
|
24.04 LTS noble |
Not affected
|
|
22.04 LTS jammy |
Not affected
|
|
20.04 LTS focal |
Not affected
|
|
18.04 LTS bionic |
Fixed 2.2.5-3ubuntu0.2
|
|
16.04 LTS xenial |
Fixed 2.1.0-7ubuntu0.16.04.5
|
|
14.04 LTS trusty |
Fixed 2.1.0-4ubuntu1.4+esm2
|
|
firefox | 24.10 oracular |
Fixed 70.0+build2-0ubuntu1
|
24.04 LTS noble |
Fixed 70.0+build2-0ubuntu1
|
|
22.04 LTS jammy |
Fixed 70.0+build2-0ubuntu1
|
|
20.04 LTS focal |
Fixed 70.0+build2-0ubuntu1
|
|
18.04 LTS bionic |
Fixed 70.0+build2-0ubuntu0.18.04.1
|
|
16.04 LTS xenial |
Fixed 70.0+build2-0ubuntu0.16.04.1
|
|
14.04 LTS trusty | Not in release | |
gdcm | 24.10 oracular |
Not affected
|
24.04 LTS noble |
Not affected
|
|
22.04 LTS jammy |
Not affected
|
|
20.04 LTS focal |
Not affected
|
|
18.04 LTS bionic |
Not affected
|
|
16.04 LTS xenial |
Not affected
|
|
14.04 LTS trusty |
Not affected
|
|
ghostscript | 24.10 oracular |
Not affected
|
24.04 LTS noble |
Not affected
|
|
22.04 LTS jammy |
Not affected
|
|
20.04 LTS focal |
Not affected
|
|
18.04 LTS bionic |
Not affected
|
|
16.04 LTS xenial |
Not affected
|
|
14.04 LTS trusty | Not in release | |
insighttoolkit | 24.10 oracular | Not in release |
24.04 LTS noble | Not in release | |
22.04 LTS jammy | Not in release | |
20.04 LTS focal | Not in release | |
18.04 LTS bionic | Not in release | |
16.04 LTS xenial |
Needs evaluation
|
|
14.04 LTS trusty | Not in release | |
insighttoolkit4 | 24.10 oracular | Not in release |
24.04 LTS noble | Not in release | |
22.04 LTS jammy |
Not affected
|
|
20.04 LTS focal |
Not affected
|
|
18.04 LTS bionic |
Not affected
|
|
16.04 LTS xenial |
Needs evaluation
|
|
14.04 LTS trusty | Not in release | |
kompozer | 24.10 oracular | Not in release |
24.04 LTS noble | Not in release | |
22.04 LTS jammy | Not in release | |
20.04 LTS focal | Not in release | |
18.04 LTS bionic | Not in release | |
16.04 LTS xenial | Not in release | |
14.04 LTS trusty | Not in release | |
libparagui1.1 | 24.10 oracular | Not in release |
24.04 LTS noble | Not in release | |
22.04 LTS jammy | Not in release | |
20.04 LTS focal | Not in release | |
18.04 LTS bionic | Not in release | |
16.04 LTS xenial | Not in release | |
14.04 LTS trusty | Not in release | |
libxmltok | 24.10 oracular |
Vulnerable
|
24.04 LTS noble |
Vulnerable
|
|
22.04 LTS jammy |
Fixed 1.2-4ubuntu0.22.04.1~esm1
|
|
20.04 LTS focal |
Fixed 1.2-4ubuntu0.20.04.1~esm1
|
|
18.04 LTS bionic |
Fixed 1.2-4ubuntu0.18.04.1~esm1
|
|
16.04 LTS xenial |
Fixed 1.2-3ubuntu0.16.04.1~esm2
|
|
14.04 LTS trusty | Ignored end of standard support | |
matanza | 24.10 oracular |
Needs evaluation
|
24.04 LTS noble |
Needs evaluation
|
|
22.04 LTS jammy |
Needs evaluation
|
|
20.04 LTS focal |
Needs evaluation
|
|
18.04 LTS bionic |
Needs evaluation
|
|
16.04 LTS xenial |
Needs evaluation
|
|
14.04 LTS trusty | Not in release | |
poco | 24.10 oracular |
Not affected
|
24.04 LTS noble |
Not affected
|
|
22.04 LTS jammy |
Not affected
|
|
20.04 LTS focal |
Not affected
|
|
18.04 LTS bionic |
Not affected
|
|
16.04 LTS xenial |
Not affected
|
|
14.04 LTS trusty |
Not affected
|
|
simgear | 24.10 oracular |
Not affected
|
24.04 LTS noble |
Not affected
|
|
22.04 LTS jammy |
Not affected
|
|
20.04 LTS focal |
Not affected
|
|
18.04 LTS bionic |
Not affected
|
|
16.04 LTS xenial |
Not affected
|
|
14.04 LTS trusty | Not in release | |
sitecopy | 24.10 oracular |
Needs evaluation
|
24.04 LTS noble | Not in release | |
22.04 LTS jammy |
Needs evaluation
|
|
20.04 LTS focal |
Needs evaluation
|
|
18.04 LTS bionic |
Needs evaluation
|
|
16.04 LTS xenial |
Needs evaluation
|
|
14.04 LTS trusty | Not in release | |
smart | 24.10 oracular | Not in release |
24.04 LTS noble | Not in release | |
22.04 LTS jammy | Not in release | |
20.04 LTS focal | Not in release | |
18.04 LTS bionic |
Not affected
|
|
16.04 LTS xenial |
Not affected
|
|
14.04 LTS trusty | Not in release | |
swish-e | 24.10 oracular |
Needs evaluation
|
24.04 LTS noble |
Needs evaluation
|
|
22.04 LTS jammy |
Needs evaluation
|
|
20.04 LTS focal |
Needs evaluation
|
|
18.04 LTS bionic |
Needs evaluation
|
|
16.04 LTS xenial |
Needs evaluation
|
|
14.04 LTS trusty | Not in release | |
tdom | 24.10 oracular |
Needs evaluation
|
24.04 LTS noble |
Needs evaluation
|
|
22.04 LTS jammy |
Needs evaluation
|
|
20.04 LTS focal |
Needs evaluation
|
|
18.04 LTS bionic |
Needs evaluation
|
|
16.04 LTS xenial |
Needs evaluation
|
|
14.04 LTS trusty | Not in release | |
texlive-bin | 24.10 oracular |
Not affected
|
24.04 LTS noble |
Not affected
|
|
22.04 LTS jammy |
Not affected
|
|
20.04 LTS focal |
Not affected
|
|
18.04 LTS bionic |
Not affected
|
|
16.04 LTS xenial |
Not affected
|
|
14.04 LTS trusty | Not in release | |
thunderbird | 24.10 oracular |
Fixed 1:68.2.0+build1.1-0ubuntu1
|
24.04 LTS noble |
Fixed 1:68.2.0+build1.1-0ubuntu1
|
|
22.04 LTS jammy |
Fixed 1:68.2.0+build1.1-0ubuntu1
|
|
20.04 LTS focal |
Fixed 1:68.2.0+build1.1-0ubuntu1
|
|
18.04 LTS bionic |
Fixed 1:68.2.1+build1-0ubuntu0.18.04.1
|
|
16.04 LTS xenial |
Fixed 1:68.7.0+build1-0ubuntu0.16.04.2
|
|
14.04 LTS trusty | Not in release | |
vnc4 | 24.10 oracular | Not in release |
24.04 LTS noble | Not in release | |
22.04 LTS jammy | Not in release | |
20.04 LTS focal | Not in release | |
18.04 LTS bionic |
Vulnerable
|
|
16.04 LTS xenial |
Vulnerable
|
|
14.04 LTS trusty | Ignored end of ESM support, was needed | |
vtk | 24.10 oracular | Not in release |
24.04 LTS noble | Not in release | |
22.04 LTS jammy | Not in release | |
20.04 LTS focal | Not in release | |
18.04 LTS bionic | Not in release | |
16.04 LTS xenial |
Fixed 5.10.1+dfsg-2.1ubuntu0.1~esm1
|
|
14.04 LTS trusty |
Fixed 5.8.0-14.1ubuntu3+esm1
|
|
wbxml2 | 24.10 oracular |
Needs evaluation
|
24.04 LTS noble |
Needs evaluation
|
|
22.04 LTS jammy |
Needs evaluation
|
|
20.04 LTS focal |
Needs evaluation
|
|
18.04 LTS bionic |
Needs evaluation
|
|
16.04 LTS xenial |
Needs evaluation
|
|
14.04 LTS trusty | Not in release | |
wxwidgets2.8 | 24.10 oracular | Not in release |
24.04 LTS noble | Not in release | |
22.04 LTS jammy | Not in release | |
20.04 LTS focal | Not in release | |
18.04 LTS bionic | Not in release | |
16.04 LTS xenial | Not in release | |
14.04 LTS trusty | Not in release | |
xmlrpc-c | 24.10 oracular |
Vulnerable
|
24.04 LTS noble |
Vulnerable
|
|
22.04 LTS jammy |
Vulnerable
|
|
20.04 LTS focal |
Vulnerable
|
|
18.04 LTS bionic |
Vulnerable
|
|
16.04 LTS xenial |
Vulnerable
|
|
14.04 LTS trusty | Ignored end of ESM support, was needed |
Get expanded security coverage with Ubuntu Pro
Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.
Get Ubuntu ProSeverity score breakdown
Parameter | Value |
---|---|
Base score | 7.5 · High |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | None |
Integrity impact | None |
Availability impact | High |
Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
References
Related Ubuntu Security Notices (USN)
- USN-4202-1
- Thunderbird vulnerabilities
- 26 November 2019
- USN-4335-1
- Thunderbird vulnerabilities
- 21 April 2020
- USN-4165-1
- Firefox vulnerabilities
- 23 October 2019
- USN-4132-2
- Expat vulnerability
- 12 September 2019
- USN-4132-1
- Expat vulnerability
- 12 September 2019
- USN-4852-1
- VTK vulnerabilities
- 15 March 2021
- USN-5455-1
- xmltok library vulnerabilities
- 19 July 2022
Other references
- https://github.com/libexpat/libexpat/commit/c20b758c332d9a13afbbb276d30db1d183a85d43
- https://github.com/libexpat/libexpat/issues/317
- https://github.com/libexpat/libexpat/pull/318
- https://www.mozilla.org/en-US/security/advisories/mfsa2019-34/#CVE-2019-15903
- https://www.cve.org/CVERecord?id=CVE-2019-15903