CVE-2019-15903
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2019-15903
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-15903.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2019-15903
- Downstream
- Related
- Published
- 2019-09-04T06:15:10Z
- Modified
- 2025-10-21T08:59:53.654026Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- [none]
- Details
-
In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early; a consecutive call to XMLGetCurrentLineNumber (or XMLGetCurrentColumnNumber) then resulted in a heap-based buffer over-read.
- References
-
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00080.html
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00081.html
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00000.html
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00002.html
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00003.html
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00013.html
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00016.html
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00017.html
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00018.html
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00019.html
- http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00008.html
- http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html
- http://packetstormsecurity.com/files/154503/Slackware-Security-Advisory-expat-Updates.html
- http://packetstormsecurity.com/files/154927/Slackware-Security-Advisory-python-Updates.html
- http://packetstormsecurity.com/files/154947/Slackware-Security-Advisory-mozilla-firefox-Updates.html
- http://seclists.org/fulldisclosure/2019/Dec/23
- http://seclists.org/fulldisclosure/2019/Dec/26
- http://seclists.org/fulldisclosure/2019/Dec/27
- http://seclists.org/fulldisclosure/2019/Dec/30
- https://access.redhat.com/errata/RHSA-2019:3210
- https://access.redhat.com/errata/RHSA-2019:3237
- https://access.redhat.com/errata/RHSA-2019:3756
- https://github.com/libexpat/libexpat/commit/c20b758c332d9a13afbbb276d30db1d183a85d43
- https://github.com/libexpat/libexpat/issues/317
- https://github.com/libexpat/libexpat/issues/342
- https://github.com/libexpat/libexpat/pull/318
- https://lists.debian.org/debian-lts-announce/2019/11/msg00006.html
- https://lists.debian.org/debian-lts-announce/2019/11/msg00017.html
- https://seclists.org/bugtraq/2019/Dec/17
- https://seclists.org/bugtraq/2019/Dec/21
- https://seclists.org/bugtraq/2019/Dec/23
- https://seclists.org/bugtraq/2019/Nov/1
- https://seclists.org/bugtraq/2019/Nov/24
- https://seclists.org/bugtraq/2019/Oct/29
- https://seclists.org/bugtraq/2019/Sep/30
- https://seclists.org/bugtraq/2019/Sep/37
- https://security.gentoo.org/glsa/201911-08
- https://security.netapp.com/advisory/ntap-20190926-0004/
- https://support.apple.com/kb/HT210785
- https://support.apple.com/kb/HT210788
- https://support.apple.com/kb/HT210789
- https://support.apple.com/kb/HT210790
- https://support.apple.com/kb/HT210793
- https://support.apple.com/kb/HT210794
- https://support.apple.com/kb/HT210795
- https://usn.ubuntu.com/4132-1/
- https://usn.ubuntu.com/4132-2/
- https://usn.ubuntu.com/4165-1/
- https://usn.ubuntu.com/4202-1/
- https://usn.ubuntu.com/4335-1/
- https://www.debian.org/security/2019/dsa-4530
- https://www.debian.org/security/2019/dsa-4549
- https://www.debian.org/security/2019/dsa-4571
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.tenable.com/security/tns-2021-11
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A4TZKPJFTURRLXIGLB34WVKQ5HGY6JJA/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BDUTI5TVQWIGGQXPEVI4T2ENHFSBMIBP/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/S26LGXXQ7YF2BP3RGOWELBFKM6BHF6UG/
Affected packages
Git / github.com/libexpat/libexpat
Affected ranges
- Type
- GIT
- Repo
- https://github.com/libexpat/libexpat
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
Other
REC1_0
R_1_95_0
R_1_95_2
R_1_95_3
R_1_95_4
R_1_95_5
R_1_95_6
R_1_95_7
R_1_95_8
R_2_0_0
R_2_0_1
R_2_1_0
R_2_1_1
R_2_2_0
R_2_2_1
R_2_2_2
R_2_2_3
R_2_2_4
R_2_2_5
R_2_2_6
R_2_2_7
V1990307
V19981122
V19981231
V19990109
V19990425
V19990626
V19990709
V19990728
V19991013
V1_0
V1_1
V20000512
beta2
beta3
beta4
jclark-orig
libexpat-alpha-1
sourceforge_init
start
Database specific
vanir_signatures
[
{
"source": "https://github.com/libexpat/libexpat/commit/c20b758c332d9a13afbbb276d30db1d183a85d43",
"target": {
"function": "doProlog",
"file": "expat/lib/xmlparse.c"
},
"digest": {
"function_hash": "125271961576543742310629350504968019617",
"length": 27888.0
},
"signature_version": "v1",
"id": "CVE-2019-15903-0d752d8d",
"signature_type": "Function",
"deprecated": false
},
{
"source": "https://github.com/libexpat/libexpat/commit/c20b758c332d9a13afbbb276d30db1d183a85d43",
"target": {
"function": "processInternalEntity",
"file": "expat/lib/xmlparse.c"
},
"digest": {
"function_hash": "258898664727023212628731136448884091064",
"length": 1541.0
},
"signature_version": "v1",
"id": "CVE-2019-15903-3992c034",
"signature_type": "Function",
"deprecated": false
},
{
"source": "https://github.com/libexpat/libexpat/commit/c20b758c332d9a13afbbb276d30db1d183a85d43",
"target": {
"function": "prologProcessor",
"file": "expat/lib/xmlparse.c"
},
"digest": {
"function_hash": "320542276707726540903784573260106917696",
"length": 347.0
},
"signature_version": "v1",
"id": "CVE-2019-15903-4fa8a18a",
"signature_type": "Function",
"deprecated": false
},
{
"source": "https://github.com/libexpat/libexpat/commit/c20b758c332d9a13afbbb276d30db1d183a85d43",
"target": {
"function": "internalEntityProcessor",
"file": "expat/lib/xmlparse.c"
},
"digest": {
"function_hash": "87559746390753119708030472024368882252",
"length": 1691.0
},
"signature_version": "v1",
"id": "CVE-2019-15903-50a68847",
"signature_type": "Function",
"deprecated": false
},
{
"source": "https://github.com/libexpat/libexpat/commit/c20b758c332d9a13afbbb276d30db1d183a85d43",
"target": {
"file": "expat/lib/xmlparse.c"
},
"digest": {
"line_hashes": [
"132983735470197785746052135782572205033",
"146204224061470080606983094059913412689",
"7599560151177139529648421590374092798",
"43488536384691544214046994497908120940",
"316924857856242392275636406882952016268",
"313502711495946994497639020874340401069",
"195484947523758424504813833072420643936",
"66393858657853185419579310156918223010",
"255221502895981869157887834697152878351",
"106795823336306937525621181615350467828",
"226320368211189727652238023669300150723",
"120536527396395186340591214598221850705",
"157897276731025067219377731738911663661",
"56387941961793144568065674959231386429",
"122849457964806115309741096903856490512",
"175297395996681036848075065183921967929",
"299387118000825267278833341847060218101",
"276502891951823894309157759029430923936",
"56631634594391992920425749299177991860",
"128211256018775436878936886506812361210",
"136991866931827280169215334671955339519",
"267326537430448345157071811058789050241",
"281089508152999328292147815149430177071",
"266760975306673981287073430543841070947",
"136991866931827280169215334671955339519",
"267326537430448345157071811058789050241",
"281089508152999328292147815149430177071",
"145115243084578848234012712515518269345",
"130000406535845302189293374835665079658",
"249245281332386594223044783888918985169",
"150401336559048452177710326613018819487",
"41422063577574542654899415359947089205"
],
"threshold": 0.9
},
"signature_version": "v1",
"id": "CVE-2019-15903-52ad81f3",
"signature_type": "Line",
"deprecated": false
},
{
"source": "https://github.com/libexpat/libexpat/commit/c20b758c332d9a13afbbb276d30db1d183a85d43",
"target": {
"function": "externalParEntProcessor",
"file": "expat/lib/xmlparse.c"
},
"digest": {
"function_hash": "217326096847551269990637517059988824832",
"length": 878.0
},
"signature_version": "v1",
"id": "CVE-2019-15903-9c136d97",
"signature_type": "Function",
"deprecated": false
}
]