{"id":"UBUNTU-CVE-2009-3560","details":"The big2_toUtf8 function in lib/xmltok.c in libexpat in Expat 2.0.1, as used in the XML-Twig module for Perl, allows context-dependent attackers to cause a denial of service (application crash) via an XML document with malformed UTF-8 sequences that trigger a buffer over-read, related to the doProlog function in lib/xmlparse.c, a different vulnerability than CVE-2009-2625 and CVE-2009-3720.","modified":"2026-01-30T01:42:47.673976Z","published":"2009-12-04T00:00:00Z","related":["USN-890-1","USN-890-2","USN-890-3","USN-890-4","USN-890-5","USN-890-6"],"upstream":["CVE-2009-3560"],"references":[{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2009-3560"},{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-890-1"},{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-890-2"},{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-890-3"},{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-890-4"},{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-890-5"},{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-890-6"},{"type":"REPORT","url":"https://www.cve.org/CVERecord?id=CVE-2009-3560"}],"affected":[{"package":{"name":"coin3","ecosystem":"Ubuntu:Pro:14.04:LTS","purl":"pkg:deb/ubuntu/coin3@3.1.4~abc9f50-4ubuntu2+esm1?arch=source&distro=esm-infra-legacy/trusty"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["3.1.4~abc9f50-3","3.1.4~abc9f50-4","3.1.4~abc9f50-4ubuntu2","3.1.4~abc9f50-4ubuntu2+esm1"],"ecosystem_specific":{"binaries":[{"binary_name":"libcoin80","binary_version":"3.1.4~abc9f50-4ubuntu2+esm1"},{"binary_name":"libcoin80-dev","binary_version":"3.1.4~abc9f50-4ubuntu2+esm1"},{"binary_name":"libcoin80-runtime","binary_version":"3.1.4~abc9f50-4ubuntu2+esm1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2009/UBUNTU-CVE-2009-3560.json"}},{"package":{"name":"cableswig","ecosystem":"Ubuntu:16.04:LTS","purl":"pkg:deb/ubuntu/cableswig@0.1.0+git20150808-2?arch=source&distro=xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["0.1.0+git20150808-1","0.1.0+git20150808-2"],"ecosystem_specific":{"binaries":[{"binary_name":"cableswig","binary_version":"0.1.0+git20150808-2"},{"binary_name":"libcableswig-dev","binary_version":"0.1.0+git20150808-2"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2009/UBUNTU-CVE-2009-3560.json"}},{"package":{"name":"coin3","ecosystem":"Ubuntu:Pro:16.04:LTS","purl":"pkg:deb/ubuntu/coin3@3.1.4~abc9f50+dfsg1-1ubuntu0.1~esm1?arch=source&distro=esm-apps/xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["3.1.4~abc9f50+dfsg1-1","3.1.4~abc9f50+dfsg1-1ubuntu0.1~esm1"],"ecosystem_specific":{"binaries":[{"binary_name":"libcoin80-dev","binary_version":"3.1.4~abc9f50+dfsg1-1ubuntu0.1~esm1"},{"binary_name":"libcoin80-runtime","binary_version":"3.1.4~abc9f50+dfsg1-1ubuntu0.1~esm1"},{"binary_name":"libcoin80v5","binary_version":"3.1.4~abc9f50+dfsg1-1ubuntu0.1~esm1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2009/UBUNTU-CVE-2009-3560.json"}},{"package":{"name":"matanza","ecosystem":"Ubuntu:16.04:LTS","purl":"pkg:deb/ubuntu/matanza@0.13+ds1-5?arch=source&distro=xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["0.13+ds1-5"],"ecosystem_specific":{"binaries":[{"binary_name":"matanza","binary_version":"0.13+ds1-5"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2009/UBUNTU-CVE-2009-3560.json"}},{"package":{"name":"swish-e","ecosystem":"Ubuntu:16.04:LTS","purl":"pkg:deb/ubuntu/swish-e@2.4.7-4build1?arch=source&distro=xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["2.4.7-4","2.4.7-4build1"],"ecosystem_specific":{"binaries":[{"binary_name":"swish-e","binary_version":"2.4.7-4build1"},{"binary_name":"swish-e-dev","binary_version":"2.4.7-4build1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2009/UBUNTU-CVE-2009-3560.json"}},{"package":{"name":"coin3","ecosystem":"Ubuntu:18.04:LTS","purl":"pkg:deb/ubuntu/coin3@3.1.4~abc9f50+dfsg3-2?arch=source&distro=bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["3.1.4~abc9f50+dfsg1-2","3.1.4~abc9f50+dfsg2-1","3.1.4~abc9f50+dfsg3-1","3.1.4~abc9f50+dfsg3-2"],"ecosystem_specific":{"binaries":[{"binary_name":"libcoin80-dev","binary_version":"3.1.4~abc9f50+dfsg3-2"},{"binary_name":"libcoin80-runtime","binary_version":"3.1.4~abc9f50+dfsg3-2"},{"binary_name":"libcoin80v5","binary_version":"3.1.4~abc9f50+dfsg3-2"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2009/UBUNTU-CVE-2009-3560.json"}},{"package":{"name":"matanza","ecosystem":"Ubuntu:18.04:LTS","purl":"pkg:deb/ubuntu/matanza@0.13+ds1-6?arch=source&distro=bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["0.13+ds1-5build1","0.13+ds1-6"],"ecosystem_specific":{"binaries":[{"binary_name":"matanza","binary_version":"0.13+ds1-6"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2009/UBUNTU-CVE-2009-3560.json"}},{"package":{"name":"swish-e","ecosystem":"Ubuntu:18.04:LTS","purl":"pkg:deb/ubuntu/swish-e@2.4.7-5ubuntu1?arch=source&distro=bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["2.4.7-5ubuntu1"],"ecosystem_specific":{"binaries":[{"binary_name":"swish-e","binary_version":"2.4.7-5ubuntu1"},{"binary_name":"swish-e-dev","binary_version":"2.4.7-5ubuntu1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2009/UBUNTU-CVE-2009-3560.json"}},{"package":{"name":"matanza","ecosystem":"Ubuntu:20.04:LTS","purl":"pkg:deb/ubuntu/matanza@0.13+ds2-1?arch=source&distro=focal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["0.13+ds1-6","0.13+ds2-1"],"ecosystem_specific":{"binaries":[{"binary_name":"matanza","binary_version":"0.13+ds2-1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2009/UBUNTU-CVE-2009-3560.json"}},{"package":{"name":"swish-e","ecosystem":"Ubuntu:20.04:LTS","purl":"pkg:deb/ubuntu/swish-e@2.4.7-6build2?arch=source&distro=focal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["2.4.7-6build1","2.4.7-6build2"],"ecosystem_specific":{"binaries":[{"binary_name":"swish-e","binary_version":"2.4.7-6build2"},{"binary_name":"swish-e-dev","binary_version":"2.4.7-6build2"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2009/UBUNTU-CVE-2009-3560.json"}},{"package":{"name":"matanza","ecosystem":"Ubuntu:22.04:LTS","purl":"pkg:deb/ubuntu/matanza@0.13+ds2-1?arch=source&distro=jammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["0.13+ds2-1"],"ecosystem_specific":{"binaries":[{"binary_name":"matanza","binary_version":"0.13+ds2-1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2009/UBUNTU-CVE-2009-3560.json"}},{"package":{"name":"swish-e","ecosystem":"Ubuntu:22.04:LTS","purl":"pkg:deb/ubuntu/swish-e@2.4.7-6.1build1?arch=source&distro=jammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["2.4.7-6build3","2.4.7-6.1","2.4.7-6.1build1"],"ecosystem_specific":{"binaries":[{"binary_name":"swish-e","binary_version":"2.4.7-6.1build1"},{"binary_name":"swish-e-dev","binary_version":"2.4.7-6.1build1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2009/UBUNTU-CVE-2009-3560.json"}},{"package":{"name":"matanza","ecosystem":"Ubuntu:24.04:LTS","purl":"pkg:deb/ubuntu/matanza@0.13+ds2-1build2?arch=source&distro=noble"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["0.13+ds2-1","0.13+ds2-1build1","0.13+ds2-1build2"],"ecosystem_specific":{"binaries":[{"binary_name":"matanza","binary_version":"0.13+ds2-1build2"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2009/UBUNTU-CVE-2009-3560.json"}},{"package":{"name":"swish-e","ecosystem":"Ubuntu:24.04:LTS","purl":"pkg:deb/ubuntu/swish-e@2.4.7-6.2build3?arch=source&distro=noble"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["2.4.7-6.2","2.4.7-6.2build1","2.4.7-6.2build2","2.4.7-6.2build3"],"ecosystem_specific":{"binaries":[{"binary_name":"swish-e","binary_version":"2.4.7-6.2build3"},{"binary_name":"swish-e-dev","binary_version":"2.4.7-6.2build3"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2009/UBUNTU-CVE-2009-3560.json"}},{"package":{"name":"matanza","ecosystem":"Ubuntu:25.10","purl":"pkg:deb/ubuntu/matanza@0.13+ds2-2?arch=source&distro=questing"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["0.13+ds2-2"],"ecosystem_specific":{"binaries":[{"binary_name":"matanza","binary_version":"0.13+ds2-2"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2009/UBUNTU-CVE-2009-3560.json"}},{"package":{"name":"sitecopy","ecosystem":"Ubuntu:25.10","purl":"pkg:deb/ubuntu/sitecopy@1:0.16.6-16build1?arch=source&distro=questing"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1:0.16.6-16","1:0.16.6-16build1"],"ecosystem_specific":{"binaries":[{"binary_name":"sitecopy","binary_version":"1:0.16.6-16build1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2009/UBUNTU-CVE-2009-3560.json"}},{"package":{"name":"swish-e","ecosystem":"Ubuntu:25.10","purl":"pkg:deb/ubuntu/swish-e@2.4.7-7?arch=source&distro=questing"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["2.4.7-6.3","2.4.7-6.3build1","2.4.7-7"],"ecosystem_specific":{"binaries":[{"binary_name":"swish-e","binary_version":"2.4.7-7"},{"binary_name":"swish-e-dev","binary_version":"2.4.7-7"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2009/UBUNTU-CVE-2009-3560.json"}}],"schema_version":"1.7.3","severity":[{"type":"Ubuntu","score":"medium"}]}