Nixpkgs security tracker
7.5 HIGH
- CVSS version: 3.1
- Attack vector (AV): NETWORK
- Attack complexity (AC): LOW
- Privileges required (PR): NONE
- User interaction (UI): NONE
- Scope (S): UNCHANGED
- Confidentiality impact (C): NONE
- Integrity impact (I): NONE
- Availability impact (A): HIGH
Libexpat: expat: improper restriction of xml entity expansion depth in libexpat
A stack overflow vulnerability exists in the libexpat library due to the way it handles recursive entity expansion in XML documents. When parsing an XML document with deeply nested entity references, libexpat can be forced to recurse indefinitely, exhausting the stack space and causing a crash. This issue could lead to denial of service (DoS) or, in some cases, exploitable memory corruption, depending on the environment and library usage.
References
Affected products
- *
- <2.7.0
- *
- *
- *
- *
- *
- *
- *
Matching in nixpkgs
pkgs.expat
Stream-oriented XML parser library written in C
pkgs.xmlrpc_c
Lightweight RPC library based on XML and HTTP
pkgs.firefoxpwa
Tool to install, manage and use Progressive Web Apps (PWAs) in Mozilla Firefox (native component)
pkgs.faust2firefox
The faust2firefox script, part of faust functional programming language for realtime audio signal processing
pkgs.firefox_decrypt
Tool to extract passwords from profiles of Mozilla Firefox and derivates
pkgs.firefox-unwrapped
Web browser built from Firefox source tree
pkgs.firefox-sync-client
Commandline-utility to list/view/edit/delete entries in a firefox-sync account.
pkgs.luaPackages.luaexpat
XML Expat parsing
pkgs.firefox-esr-unwrapped
Web browser built from Firefox source tree
-
nixos-unstable 128.5.0esr
- nixpkgs-unstable 128.5.0esr
- nixos-unstable-small 128.5.1esr
pkgs.firefox-beta-unwrapped
Web browser built from Firefox Beta Release source tree
pkgs.haskellPackages.hexpat
XML parser/formatter based on expat
pkgs.lua51Packages.luaexpat
XML Expat parsing
pkgs.lua52Packages.luaexpat
XML Expat parsing
pkgs.lua53Packages.luaexpat
XML Expat parsing
pkgs.lua54Packages.luaexpat
XML Expat parsing
pkgs.luajitPackages.luaexpat
XML Expat parsing
pkgs.emacsPackages.evil-expat
None
-
nixos-unstable 20190521.714
- nixpkgs-unstable 20190521.714
- nixos-unstable-small 20190521.714
pkgs.haskellPackages.hxt-expat
Expat parser for HXT
pkgs.thunderbird-128-unwrapped
Full-featured e-mail client
-
nixos-unstable 128.4.3esr
- nixpkgs-unstable 128.4.3esr
- nixos-unstable-small 128.5.1esr
pkgs.emacsPackages.helm-firefox
None
-
nixos-unstable 20220420.1346
- nixpkgs-unstable 20220420.1346
- nixos-unstable-small 20220420.1346
pkgs.firefox-devedition-unwrapped
Web browser built from Firefox Developer Edition source tree
pkgs.haskellPackages.hexpat-pickle
XML picklers based on hexpat, source-code-similar to those of the HXT package
pkgs.emacsPackages.exwm-firefox-core
None
-
nixos-unstable 20190812.2110
- nixpkgs-unstable 20190812.2110
- nixos-unstable-small 20190812.2110
pkgs.emacsPackages.exwm-firefox-evil
None
-
nixos-unstable 20231026.309
- nixpkgs-unstable 20231026.309
- nixos-unstable-small 20231026.309
pkgs.gnomeExtensions.firefox-profiles
This GNOME extension makes it easy to launch Firefox with a specific profile from the indicator menu.
pkgs.chickenPackages_5.chickenEggs.expat
An interface to James Clark's Expat XML parser
pkgs.thunderbirdPackages.thunderbird-esr
Full-featured e-mail client
-
nixos-unstable 128.4.3esr
- nixpkgs-unstable 128.4.3esr
- nixos-unstable-small 128.5.1esr
pkgs.emacsPackages.firefox-javascript-repl
None
pkgs.thunderbirdPackages.thunderbird-latest
Full-featured e-mail client
pkgs.gnomeExtensions.firefox-pip-always-on-top
Ensure that Firefox Picture-in-Picture window are always on top
pkgs.vscode-extensions.firefox-devtools.vscode-firefox-debug
Visual Studio Code extension for debugging web applications and browser extensions in Firefox
Package maintainers
-
@pmahoney Patrick Mahoney <pat@polycrystal.org>
-
@magnetophon Bart Brouns <bart@magnetophon.nl>
-
@jopejoe1 jopejoe1 <nixpkgs@missing.ninja>
-
@mweinelt Martin Weinelt <hexa@darmstadt.ccc.de>
-
@ambroisie Bruno BELANYI <bruno.nixpkgs@belanyi.fr>
-
@lovesegfault Bernardo Meurer <meurerbernardo@gmail.com>
-
@schnusch schnusch
-
@adamcstephens Adam C. Stephens <happy.plan4249@valkor.net>
-
@camillemndn Camille M. <camillemondon@free.fr>
-
@pasqui23 pasqui23 <p3dimaria@hotmail.it>
-
@honnip Jung seungwoo <me@honnip.page>
-
@flosse Markus Kohlhase <mail@markus-kohlhase.de>
-
@Shados Alexei Robyn <shados@shados.net>
-
@vcunat Vladimír Čunát <v@cunat.cz>
-
@nbp Nicolas B. Pierron <nixos@nbp.name>
-
@felschr Felix Schröter <dev@felschr.com>
-
@bjornfor Bjørn Forsman <bjorn.forsman@gmail.com>