[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] Expat 2.6.2 released, includes security fixes
From: Alan Coopersmith <alan.coopersmith () oracle ! com>
Date: 2024-03-15 16:57:05
Message-ID: 397f9357-0f60-45d2-b150-573028178755 () oracle ! com
[Download RAW message or body]
https://blog.hartwork.org/posts/expat-2-6-2-released/ (published 2024-03-13)
announces the release of Expat 2.6.2, with security fixes:
> Regarding actual release content, most importantly, this release fixes the
> security issue CVE-2024-28757 that can be used to cause denial of service
> for code like…
>
> XML_Parser parser = XML_ParserCreate(NULL);
> XML_Parser ext_parser
> = XML_ExternalEntityParserCreate(parser, NULL, NULL);
> enum XML_Status status
> = XML_Parse(ext_parser, doc, (int)strlen(doc), XML_TRUE);
>
> …where all input is sent to the external parser and none to the parent
> regular parser.
>
> The commit message of commit 1d50b80cf31de87750103656f6eb693746854aa8
> explains the problem and solution in more detail.
>
> There is also a bugfix to reject direct parameter entity recursion and to
> avoid the related undefined behavior. The issue was uncovered by
> ClusterFuzz/OSS-Fuzz after 20+ years of being unreported; that speaks
> volumes for the value of fuzzing.
Further details on CVE-2024-28757 and its fix can be seen at:
https://github.com/libexpat/libexpat/issues/839
https://github.com/libexpat/libexpat/pull/842
https://github.com/libexpat/libexpat/commit/1d50b80cf31de87750103656f6eb693746854aa8
https://github.com/libexpat/libexpat/commit/072eca0b72373da103ce15f8f62d1d7b52695454
The blog also points to the call for help maintaining libexpat in the Changelog
at https://github.com/libexpat/libexpat/blob/R_2_6_2/expat/Changes which notes
that items that need someone to work on include:
!! - <blink>fixing a complex non-public security issue</blink>, !!
!! - teaming up on researching and fixing future security reports and !!
!! ClusterFuzz findings with few-days-max response times in communication !!
!! in order to (1) have a sound fix ready before the end of a 90 days !!
!! grace period and (2) in a sustainable manner, !!
--
-Alan Coopersmith- alan.coopersmith@oracle.com
Oracle Solaris Engineering - https://blogs.oracle.com/solaris
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic