FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-11-23 17:01:17 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML ID	Description
ca5f3bbc-7a62-11ef-9533-f875a43e1796	expat -- multiple vulnerabilities libexpat reports: CVE-2024-45490: Calling function XML_ParseBuffer with len < 0 without noticing and then calling XML_GetBuffer will have XML_ParseBuffer fail to recognize the problem and XML_GetBuffer corrupt memory. With the fix, XML_ParseBuffer now complains with error XML_ERROR_INVALID_ARGUMENT just like sibling XML_Parse has been doing since Expat 2.2.1, and now documented. Impact is denial of service to potentially artitrary code execution. CVE-2024-45491: Internal function dtdCopy can have an integer overflow for nDefaultAtts on 32-bit platforms (where UINT_MAX equals SIZE_MAX). Impact is denial of service to potentially artitrary code execution. CVE-2024-45492: Internal function nextScaffoldPart can have an integer overflow for m_groupSize on 32-bit platforms (where UINT_MAX equals SIZE_MAX). Impact is denial of service to potentially artitrary code execution. Discovery 2024-09-24 Entry 2024-09-24 expat < 2.6.3 CVE-2024-45490 CVE-2024-45491 CVE-2024-45492 https://github.com/libexpat/libexpat/blob/master/expat/Changes
0a0670a1-3e1a-11ed-b48b-e0d55e2a8bf9	expat -- Heap use-after-free vulnerability Debian Security Advisory reports: Rhodri James discovered a heap use-after-free vulnerability in the doContent function in Expat, an XML parsing C library, which could result in denial of service or potentially the execution of arbitrary code, if a malformed XML file is processed. Discovery 2022-09-14 Entry 2022-09-27 expat < 2.4.9 CVE-2022-40674 https://www.debian.org/security/2022/dsa-5236 https://nvd.nist.gov/vuln/detail/CVE-2022-40674

VuXML ID

Description

ca5f3bbc-7a62-11ef-9533-f875a43e1796

expat -- multiple vulnerabilities

libexpat reports:

CVE-2024-45490: Calling function XML_ParseBuffer with len < 0 without noticing and then calling XML_GetBuffer will have XML_ParseBuffer fail to recognize the problem and XML_GetBuffer corrupt memory. With the fix, XML_ParseBuffer now complains with error XML_ERROR_INVALID_ARGUMENT just like sibling XML_Parse has been doing since Expat 2.2.1, and now documented. Impact is denial of service to potentially artitrary code execution.

CVE-2024-45491: Internal function dtdCopy can have an integer overflow for nDefaultAtts on 32-bit platforms (where UINT_MAX equals SIZE_MAX). Impact is denial of service to potentially artitrary code execution.

CVE-2024-45492: Internal function nextScaffoldPart can have an integer overflow for m_groupSize on 32-bit platforms (where UINT_MAX equals SIZE_MAX). Impact is denial of service to potentially artitrary code execution.

Discovery 2024-09-24
Entry 2024-09-24
expat

< 2.6.3

CVE-2024-45490
CVE-2024-45491
CVE-2024-45492
https://github.com/libexpat/libexpat/blob/master/expat/Changes

0a0670a1-3e1a-11ed-b48b-e0d55e2a8bf9

expat -- Heap use-after-free vulnerability

Debian Security Advisory reports:

Rhodri James discovered a heap use-after-free vulnerability in the doContent function in Expat, an XML parsing C library, which could result in denial of service or potentially the execution of arbitrary code, if a malformed XML file is processed.

Discovery 2022-09-14
Entry 2022-09-27
expat

< 2.4.9

CVE-2022-40674
https://www.debian.org/security/2022/dsa-5236
https://nvd.nist.gov/vuln/detail/CVE-2022-40674