Opened 3 years ago
Closed 3 years ago
#5016 closed enhancement (fixed)
expat-2.4.6
Reported by: | Bruce Dubbs | Owned by: | lfs-book |
---|---|---|---|
Priority: | high | Milestone: | 11.1 |
Component: | Book | Version: | git |
Severity: | normal | Keywords: | |
Cc: |
Description
New point version.
Change History (15)
comment:1 by , 3 years ago
Priority: | normal → high |
---|
comment:2 by , 3 years ago
Summary: | expat-2.4.5 → expat-2.4.6 |
---|
Now 2.4.6.
Release 2.4.6 Sun February 20 2022 Bug fixes: #566 Fix a regression introduced by the fix for CVE-2022-25313 in release 2.4.5 that affects applications that (1) call function XML_SetElementDeclHandler and (2) are parsing XML that contains nested element declarations (e.g. "<!ELEMENT junk ((bar|foo|xyz+), zebra*)>").
So the security fixes have indeed introduce breaking changes...
comment:4 by , 3 years ago
The following packages use expat (that I am aware of). These were obtained by running a 'grep expat /usr/src/logs/*':
QtWebEngine
apr-util
httpd
php
serf
exiv2
libunique
dbus-python
Python2
cmake
fontconfig
dbus
polkit
gtk+-2
avahi
wayland
qt5
subversion
graphviz
git
Python3
dbus-glib
gdb
mesa
neon
libglade
libarchive
exempi
dovecot
unbound
XML::Parser
comment:5 by , 3 years ago
Book updated at commit ba2dc1b6a71e75615b103963349fbdf2727e3672 but leaving ticket open for now.
comment:6 by , 3 years ago
For the advisory, here are some details on the vulnerabilities:
CVE-2022-25235 - Base Score of 9.8/10. Description is "xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of encoding, such as checks for whether a UTF-8 character is valid in a certain context.". Attack Vector is Network, no privileges or user interaction is required, attack complexity is low, Confidentiality/Integrity/Availability impact is High.
CVE-2022-25236 - Base Score of 9.8/10. Description is "xmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to insert namespace-separator characters into namespace URIs.". Attack Vector is Network, no privileges required or user interaction, attack complexity is Low, high impact to Confidentiality, Integrity, and Availability.
CVE-2022-25313 - Base Score of 7.5/10. Description is "In Expat (aka libexpat) before 2.4.5, an attacker can trigger stack exhaustion in build_model via a large nesting depth in the DTD element.". Attack Vector is Network, attack complexity is Low, No user interaction or privileges are required, high impact to Availability but none to confidentiality or integrity.
CVE-2022-25314 - Base Score of 7.5/10. Description is "In Expat (aka libexpat) before 2.4.5, there is an integer overflow in copyString.". Attack Vector is Network, attack complexity is Low. No user interaction or privileges are required, high impact to Availability but none to confidentiality or integrity.
CVE-2022-25315 - Base Score of 9.8/10. Description is "In Expat (aka libexpat) before 2.4.5, there is an integer overflow in storeRawNames.". Attack Vector is Network, attack complexity is Low. No user interaction or privileges are required, High impact to availability, confidentiality, and integrity.
follow-up: 12 comment:10 by , 3 years ago
Replying to Xi Ruoyao:
2.4.5 and 2.4.6 cause Python test failure:
Apparently fixed in https://github.com/python/cpython/pull/31472, not sure if it is worth pulling that. With shipped 2.10.2 I get failures in test_minidom test_xml_etree
comment:11 by , 3 years ago
Successful builds of dbus-1.12.20, dbus-glib-0.112, fontconfig-2.13.1, git-2.35.1, libarchive-3.6.0, neon-0.32.2, polkit-0.120, Python-2.7.1, Python-3.10.2 rebuild, Unbound-1.15.0.
comment:12 by , 3 years ago
not sure if it is worth pulling that
No IMO because this only changes test. There is not any real functional change.
I've added the description of the failures for Python 3 in BLFS. For LFS it seems we don't need a note as we don't recommend to run Python 3 tests in LFS anyway.
comment:13 by , 3 years ago
Milestone: | 11.2 → 11.1 |
---|
comment:14 by , 3 years ago
Successful build of qtwebengine-5.15.8 showing -lexpat in the log, but qt-5.15.2 fdoes not mention expat in its log.
comment:15 by , 3 years ago
Resolution: | → fixed |
---|---|
Status: | new → closed |
Files have been checked. Closing.
Quoting Alan Coopersmith on oss-security:
"From https://blog.hartwork.org/posts/expat-2-4-5-released/ :
software libre XML parsers written in C, precisely C99. It is cross-platform and licensed under the MIT license.
CVEs involved:
miss part of the picture; e.g. if Expat passes malformed data to the application using Expat and that application isn't prepared for Expat violating their agreed API contract, you may end up with code execution from something that looked close to harmless, in isolation.
please update to 2.4.5. Thank you!
From https://github.com/libexpat/libexpat/blob/R_2_4_5/expat/Changes :
All of those are currently 'Awaiting Analysis' at NVD.