#5016 (expat-2.4.6) – LFS Trac

comment:1 by ken@…, 3 years ago

Priority:	normal → high

Quoting Alan Coopersmith on oss-security:

"From https://blog.hartwork.org/posts/expat-2-4-5-released/ :

Expat 2.4.5 released, includes security fixes 2022-02-19 01:23

libexpat is a fast streaming XML parser. Alongside libxml2, Expat is one of the most widely used

software libre XML parsers written in C, precisely C99. It is cross-platform and licensed under the MIT license.

Expat 2.4.5 has been released a few hours ago. This release is about security fixes. There are 5

CVEs involved:

CVE-2022-25235 CVE-2022-25236 CVE-2022-25313 CVE-2022-25314 CVE-2022-25315

Regarding impact of vulnerabilities, please note that looking at a vulnerability in isolation may

miss part of the picture; e.g. if Expat passes malformed data to the application using Expat and that application isn't prepared for Expat violating their agreed API contract, you may end up with code execution from something that looked close to harmless, in isolation.

For more details, please check out the change log.

If you maintain Expat packaging or a bundled copy of Expat or a pinned version of Expat somewhere,

please update to 2.4.5. Thank you!

Sebastian Pipping

From https://github.com/libexpat/libexpat/blob/R_2_4_5/expat/Changes :

Release 2.4.5 Fri February 18 2022

Security fixes:

#562 CVE-2022-25235 -- Passing malformed 2- and 3-byte UTF-8

sequences (e.g. from start tag names) to the XML processing application on top of Expat can cause arbitrary damage (e.g. code execution) depending on how invalid UTF-8 is handled inside the XML processor; validation was not their job but Expat's. Exploits with code execution are known to exist.

#561 CVE-2022-25236 -- Passing (one or more) namespace separator

characters in "xmlns[:prefix]" attribute values made Expat send malformed tag names to the XML processor on top of Expat which can cause arbitrary damage (e.g. code execution) depending on such unexpectable cases are handled inside the XML processor; validation was not their job but Expat's. Exploits with code execution are known to exist.

#558 CVE-2022-25313 -- Fix stack exhaustion in doctype parsing

that could be triggered by e.g. a 2 megabytes file with a large number of opening braces. Expected impact is denial of service or potentially arbitrary code execution.

#560 CVE-2022-25314 -- Fix integer overflow in function copyString;

only affects the encoding name parameter at parser creation time which is often hardcoded (rather than user input), takes a value in the gigabytes to trigger, and a 64-bit machine. Expected impact is denial of service.

#559 CVE-2022-25315 -- Fix integer overflow in function storeRawNames;

needs input in the gigabytes and a 64-bit machine. Expected impact is denial of service or potentially arbitrary code execution."

All of those are currently 'Awaiting Analysis' at NVD.

comment:2 by Xi Ruoyao, 3 years ago

Summary:	expat-2.4.5 → expat-2.4.6

Now 2.4.6.

Release 2.4.6 Sun February 20 2022 
        Bug fixes:
            #566  Fix a regression introduced by the fix for CVE-2022-25313
                    in release 2.4.5 that affects applications that (1)
                    call function XML_SetElementDeclHandler and (2) are
                    parsing XML that contains nested element declarations
                    (e.g. "<!ELEMENT junk ((bar|foo|xyz+), zebra*)>").

So the security fixes have indeed introduced breaking changes...

Last edited 3 years ago by Xi Ruoyao (previous) (diff)

follow-up: 10 comment:3 by Xi Ruoyao, 3 years ago

2.4.5 and 2.4.6 cause Python test failure:

https://github.com/python/cpython/pull/31453

comment:4 by Douglas R. Reno, 3 years ago

The following packages use expat (that I am aware of). These were obtained by running a 'grep expat /usr/src/logs/*':

QtWebEngine

apr-util

httpd

php

serf

exiv2

libunique

dbus-python

Python2

cmake

fontconfig

dbus

polkit

gtk+-2

avahi

wayland

qt5

subversion

graphviz

git

Python3

dbus-glib

gdb

mesa

neon

libglade

libarchive

exempi

dovecot

unbound

XML::Parser

comment:5 by Bruce Dubbs, 3 years ago

Book updated at commit ba2dc1b6a71e75615b103963349fbdf2727e3672 but leaving ticket open for now.

comment:6 by Douglas R. Reno, 3 years ago

For the advisory, here are some details on the vulnerabilities:

CVE-2022-25235 - Base Score of 9.8/10. Description is "xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of encoding, such as checks for whether a UTF-8 character is valid in a certain context.". Attack Vector is Network, no privileges or user interaction is required, attack complexity is low, Confidentiality/Integrity/Availability impact is High.

CVE-2022-25236 - Base Score of 9.8/10. Description is "xmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to insert namespace-separator characters into namespace URIs.". Attack Vector is Network, no privileges required or user interaction, attack complexity is Low, high impact to Confidentiality, Integrity, and Availability.

CVE-2022-25313 - Base Score of 7.5/10. Description is "In Expat (aka libexpat) before 2.4.5, an attacker can trigger stack exhaustion in build_model via a large nesting depth in the DTD element.". Attack Vector is Network, attack complexity is Low, No user interaction or privileges are required, high impact to Availability but none to confidentiality or integrity.

CVE-2022-25314 - Base Score of 7.5/10. Description is "In Expat (aka libexpat) before 2.4.5, there is an integer overflow in copyString.". Attack Vector is Network, attack complexity is Low. No user interaction or privileges are required, high impact to Availability but none to confidentiality or integrity.

CVE-2022-25315 - Base Score of 9.8/10. Description is "In Expat (aka libexpat) before 2.4.5, there is an integer overflow in storeRawNames.". Attack Vector is Network, attack complexity is Low. No user interaction or privileges are required, High impact to availability, confidentiality, and integrity.

comment:7 by Douglas R. Reno, 3 years ago

Security Advisory is SA-11.0-086, will be submitted momentarily.

comment:8 by ken@…, 3 years ago

Successful builds of: apr-util-1.6.1, httpd-2.4.52.

comment:9 by Douglas R. Reno, 3 years ago

Exempi tested good

in reply to: 3 ; follow-up: 12 comment:10 by ken@…, 3 years ago

Replying to Xi Ruoyao:

2.4.5 and 2.4.6 cause Python test failure:

https://github.com/python/cpython/pull/31453

Apparently fixed in https://github.com/python/cpython/pull/31472, not sure if it is worth pulling that. With shipped 2.10.2 I get failures in test_minidom test_xml_etree

comment:11 by ken@…, 3 years ago

Successful builds of dbus-1.12.20, dbus-glib-0.112, fontconfig-2.13.1, git-2.35.1, libarchive-3.6.0, neon-0.32.2, polkit-0.120, Python-2.7.1, Python-3.10.2 rebuild, Unbound-1.15.0.

in reply to: 10 comment:12 by Xi Ruoyao, 3 years ago

not sure if it is worth pulling that

No IMO because this only changes test. There is not any real functional change.

I've added the description of the failures for Python 3 in BLFS. For LFS it seems we don't need a note as we don't recommend to run Python 3 tests in LFS anyway.

comment:13 by Xi Ruoyao, 3 years ago

Milestone:	11.2 → 11.1

comment:14 by ken@…, 3 years ago

Successful build of qtwebengine-5.15.8 showing -lexpat in the log, but qt-5.15.2 fdoes not mention expat in its log.

comment:15 by Bruce Dubbs, 3 years ago

Resolution:	→ fixed
Status:	new → closed

Files have been checked. Closing.

Context Navigation

#5016 closed enhancement (fixed)

expat-2.4.6

Description

Change History (15)