'[oss-security] Expat 2.4.5 released, includes 5 security fixes'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Expat 2.4.5 released, includes 5 security fixes
From:       Alan Coopersmith <alan.coopersmith () oracle ! com>
Date:       2022-02-19 17:47:28
Message-ID: 48dab10c-9a77-cf3c-981d-c72b9345f7c5 () oracle ! com
[Download RAW message or body]

 From https://blog.hartwork.org/posts/expat-2-4-5-released/ :

> Expat 2.4.5 released, includes security fixes
> 2022-02-19 01:23
> 
> libexpat is a fast streaming XML parser. Alongside libxml2, Expat is one of the most widely \
> used software libre XML parsers written in C, precisely C99. It is cross-platform and \
> licensed under the MIT license. 
> Expat 2.4.5 has been released a few hours ago. This release is about security fixes. There \
> are 5 CVEs involved: 
> CVE-2022-25235
> CVE-2022-25236
> CVE-2022-25313
> CVE-2022-25314
> CVE-2022-25315
> 
> Regarding impact of vulnerabilities, please note that looking at a vulnerability in isolation \
> may miss part of the picture; e.g. if Expat passes malformed data to the application using \
> Expat and that application isn't prepared for Expat violating their agreed API contract, you \
> may end up with code execution from something that looked close to harmless, in isolation. 
> For more details, please check out the change log.
> 
> If you maintain Expat packaging or a bundled copy of Expat or a pinned version of Expat \
> somewhere, please update to 2.4.5. Thank you! 
> Sebastian Pipping


 From https://github.com/libexpat/libexpat/blob/R_2_4_5/expat/Changes :

> Release 2.4.5 Fri February 18 2022
> Security fixes:
> #562  CVE-2022-25235 -- Passing malformed 2- and 3-byte UTF-8
> sequences (e.g. from start tag names) to the XML
> processing application on top of Expat can cause
> arbitrary damage (e.g. code execution) depending
> on how invalid UTF-8 is handled inside the XML
> processor; validation was not their job but Expat's.
> Exploits with code execution are known to exist.
> #561  CVE-2022-25236 -- Passing (one or more) namespace separator
> characters in "xmlns[:prefix]" attribute values
> made Expat send malformed tag names to the XML
> processor on top of Expat which can cause
> arbitrary damage (e.g. code execution) depending
> on such unexpectable cases are handled inside the XML
> processor; validation was not their job but Expat's.
> Exploits with code execution are known to exist.
> #558  CVE-2022-25313 -- Fix stack exhaustion in doctype parsing
> that could be triggered by e.g. a 2 megabytes
> file with a large number of opening braces.
> Expected impact is denial of service or potentially
> arbitrary code execution.
> #560  CVE-2022-25314 -- Fix integer overflow in function copyString;
> only affects the encoding name parameter at parser creation
> time which is often hardcoded (rather than user input),
> takes a value in the gigabytes to trigger, and a 64-bit
> machine.  Expected impact is denial of service.
> #559  CVE-2022-25315 -- Fix integer overflow in function storeRawNames;
> needs input in the gigabytes and a 64-bit machine.
> Expected impact is denial of service or potentially
> arbitrary code execution.
> 
> Other changes:
> #557 #564  Version info bumped from 9:4:8 to 9:5:8;
> see https://verbump.de/ for what these numbers do
> 
> Special thanks to:
> Ivan Fratric
> Samanta Navarro
> and
> Google Project Zero
> JetBrains

[Versions 2.4.3 & 2.4.4 fixed a number of CVE's as well if people missed those.]

-- 
         -Alan Coopersmith-                 alan.coopersmith@oracle.com
          Oracle Solaris Engineering - https://blogs.oracle.com/solaris


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic