'[oss-security] Expat 2.6.2 released, includes security fixes'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Expat 2.6.2 released, includes security fixes
From:       Alan Coopersmith <alan.coopersmith () oracle ! com>
Date:       2024-03-15 16:57:05
Message-ID: 397f9357-0f60-45d2-b150-573028178755 () oracle ! com
[Download RAW message or body]

https://blog.hartwork.org/posts/expat-2-6-2-released/ (published 2024-03-13)
announces the release of Expat 2.6.2, with security fixes:

> Regarding actual release content, most importantly, this release fixes the
> security issue CVE-2024-28757 that can be used to cause denial of service
> for code like…
> 
>     XML_Parser parser = XML_ParserCreate(NULL);
>     XML_Parser ext_parser
>       = XML_ExternalEntityParserCreate(parser, NULL, NULL);
>     enum XML_Status status
>       = XML_Parse(ext_parser, doc, (int)strlen(doc), XML_TRUE);
> 
> …where all input is sent to the external parser and none to the parent
> regular parser.
> 
> The commit message of commit 1d50b80cf31de87750103656f6eb693746854aa8
> explains the problem and solution in more detail.
> 
> There is also a bugfix to reject direct parameter entity recursion and to
> avoid the related undefined behavior. The issue was uncovered by
> ClusterFuzz/OSS-Fuzz after 20+ years of being unreported; that speaks
> volumes for the value of fuzzing.

Further details on CVE-2024-28757 and its fix can be seen at:
   https://github.com/libexpat/libexpat/issues/839
   https://github.com/libexpat/libexpat/pull/842
   https://github.com/libexpat/libexpat/commit/1d50b80cf31de87750103656f6eb693746854aa8
   https://github.com/libexpat/libexpat/commit/072eca0b72373da103ce15f8f62d1d7b52695454

The blog also points to the call for help maintaining libexpat in the Changelog
at https://github.com/libexpat/libexpat/blob/R_2_6_2/expat/Changes which notes
that items that need someone to work on include:

!! - <blink>fixing a complex non-public security issue</blink>,              !!

!! - teaming up on researching and fixing future security reports and        !!
!!   ClusterFuzz findings with few-days-max response times in communication  !!
!!   in order to (1) have a sound fix ready before the end of a 90 days      !!
!!   grace period and (2) in a sustainable manner,                           !!

-- 
         -Alan Coopersmith-                 alan.coopersmith@oracle.com
          Oracle Solaris Engineering - https://blogs.oracle.com/solaris
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic