-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 20 Feb 2022 17:08:18 +0100 Source: expat Architecture: source Version: 2.2.10-2+deb11u2 Distribution: bullseye-security Urgency: high Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.org> Changed-By: Salvatore Bonaccorso <carnil@debian.org> Closes: 1005894 1005895 Changes: expat (2.2.10-2+deb11u2) bullseye-security; urgency=high . * Non-maintainer upload by the Security Team. * Prevent stack exhaustion in build_model (CVE-2022-25313) * Prevent integer overflow in storeRawNames (CVE-2022-25315) * Prevent integer overflow in copyString (CVE-2022-25314) * lib: Fix (harmless) use of uninitialized memory * lib: Protect against malicious namespace declarations (CVE-2022-25236) (Closes: #1005895) * tests: Cover CVE-2022-25236 * lib: Drop unused macro UTF8_GET_NAMING * lib: Add missing validation of encoding (CVE-2022-25235) (Closes: #1005894) * lib: Add comments to BT_LEAD* cases where encoding has already been validated * tests: Cover missing validation of encoding (CVE-2022-25235) * Fix build_model regression. * tests: Protect against nested element declaration model regressions Package-Type: udeb Checksums-Sha1: 65b091ad484ca78f0d974ea87812286fb815ebbe 2175 expat_2.2.10-2+deb11u2.dsc 4fe82dd3d1963aeddc0368890cd22fec8a62030c 25192 expat_2.2.10-2+deb11u2.debian.tar.xz Checksums-Sha256: 6baf9313138838ef15bcc454e73c041c8cd0aef70e1f4e074c88f6caabc23fd3 2175 expat_2.2.10-2+deb11u2.dsc 76a3b5cd539b299fac69502009dec3acbb3a4020732df548ddbde4344d8fa27e 25192 expat_2.2.10-2+deb11u2.debian.tar.xz Files: 12361cd6e83af439a8a6d307993fe802 2175 text optional expat_2.2.10-2+deb11u2.dsc eda469432dd5c3d92fa1f761b39d69df 25192 text optional expat_2.2.10-2+deb11u2.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmISaGdfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89E/VkP/1c9KBW4loHGtkza9o5IV97sWhg28fNt UuABjSUfXI4JbR2SyEg68VJ0Jczzr15UwOA3OUVNg9B0hNRg6aRuvb2hjeqVg8fj CAjKQDFHS0Ww+evd1Zw7rPtzP9oa1K2lxJT7U7x6zeqDfC3eF1sPMiDWhVTBQZSu /683dM7CvZP48c6p8D2Na0eyIpFO9AKRou9KqhOamNI0//UYH3zktxtS9RhV2G6L 9u/rgRRR2C1GKpxyIaXuyURyGMR5C/RoOZ9Yrz56AFLulnwQbfGeszFn6lv23+MK MkzelMI5bwr9KdArRMYhfcql5vD0SFWRYIokXwI2m+NIR+mK35Pcahz+AXOYTYLi TLuI903JyFVH4g+/ioOMsxSweIRoGJSHbxADc4UK8i1mm7l+BkFHNW6zBqXrcD7X aM02rsDYSZ+fx4daEziH/Gl8yRu3W1De5+3QwtI1lLmtQaw5P39wwsU3W618SLMX JK9WmBwnBU8ANb3kPY63wVcrT/FrP4DUlpM3m+a3gv5gTlsjtLI4S5n0ZFY994uE 6MzaBeaVu5DiRvv0c/aYSql/Lja+H7WLHXR4GNwNfFJPRp4Mysqe/oqDyQ4t3FLS rRGm97aJ2B90ZGA3OpM6o5V8NIU6QqVO5uiF65ajKj8RoN2hMezgoam37sA7UmnI xSaiIdOBoXZs =A9aH -----END PGP SIGNATURE-----