Bug#560920: CVE-2009-3560 and CVE-2009-3720 denial-of-services

[Moritz Muehlenhoff <jmm@inutil.org>]

severity 560920 normal
tags 560920 -security
thanks

On Sat, Dec 12, 2009 at 10:48:50PM -0500, Michael Gilbert wrote:
> package: matanza
> severity: serious
> tags: security
> 
> Hi,
> 
> The following CVE (Common Vulnerabilities & Exposures) ids were
> published for expat.  I have determined that this package embeds a
> vulnerable copy of xmlparse.c and xmltok_impl.c.  However, since this is
> a mass bug filing (due to so many packages embedding expat), I have
> not had time to determine whether the vulnerable code is actually
> present in any of the binary packages derived from this source package.
> Please determine whether this is the case. If the binary packages are
> not affected, please feel free to close the bug with a message
> containing the details of what you did to check.

Matanza only uses expat to parse data about game universes. Triggering
a crash with that is hardly a security issue.

Cheers,
        Moritz