Opened 6 weeks ago

Closed 4 weeks ago

Last modified 4 weeks ago

#5792 closed enhancement (fixed)

expat-2.7.3

Reported by: Joe Locash Owned by: lfs-book
Priority: high Milestone: 12.5
Component: Book Version: git
Severity: normal Keywords:
Cc:

Description

Reported earlier on oss-security:

https://www.openwall.com/lists/oss-security/2025/09/16/2

Rated as high on cve.org:

https://www.cve.org/CVERecord?id=CVE-2025-59375

Change History (4)

comment:1 by Bruce Dubbs, 6 weeks ago

Release 2.7.2 - Tue September 16 2025

Security fixes:

  • CVE-2025-59375
    • Disallow use of disproportional amounts of dynamic memory from within an Expat parser (e.g. previously a ~250 KiB sized document was able to cause allocation of ~800 MiB from the heap, i.e. an "amplification" of factor ~3,300); once a threshold (that defaults to 64 MiB) is reached, a maximum amplification factor (that defaults to 100.0) is enforced, and violating documents are rejected with an out-of-memory error.
  • There are two new API functions to fine-tune this new behavior:
    • XML_SetAllocTrackerActivationThreshold
    • XML_SetAllocTrackerMaximumAmplification .

If you ever need to increase these defaults for non-attack XML payload, please file a bug report with libexpat.

There is also a new environment variable EXPAT_MALLOC_DEBUG=(0|1|2) to control the verbosity of allocations debugging at runtime, disabled by default. Known impact is (reliable and easy) denial of service: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C (Base Score: 7.5, Temporal Score: 7.2)

Please note that a layer of compression around XML can significantly reduce the minimum attack payload size. Distributors intending to backport (or cherry-pick) the fix need to copy 99% of the related pull request, not just the "lib: Implement tracking of dynamic memory allocations" commit, to not end up with a state that literally does both too much and too little at the same time. Appending ".diff" to the pull request URL could be of help.

Other changes: 

   Autotools: Sync CMake templates with CMake 3.31 for macOS
   CMake: Drop support for CMake <3.15
   CMake: Fix off_t detection for -Werror
   CMake|Windows: Fix -DEXPAT_MSVC_STATIC_CRT=ON
   Windows: Drop support for Visual Studio <=16.0/2019
   xmlwf: Mention supported environment variables in
     --help output
   xmlwf: Fix (internal) help generator
   docs: Promote the contract to call function
     XML_FreeContentModel when registering a custom
     element declaration handler (via a call to function
     XML_SetElementDeclHandler)
   docs: Add missing <p>..</p> wrap
   docs: Drop AppVeyor badge
   tests: Fix portable_strndup
   Drop casts around malloc/free/realloc that C99 does not need
   Replace empty for-loops with while loops
   Add const with internal XmlInitUnknownEncodingNS
   Drop an OpenVMS support leftover
   Address more clang-tidy warnings
   Version info bumped from 11:2:10 (libexpat*.so.1.10.2)
     to 12:0:11 (libexpat*.so.1.11.0); see https://verbump.de/
     for what these numbers do

Infrastructure: 

  CI: Cover compilation on FreeBSD
  CI: Upgrade Clang from 19 to 21
  CI: Make calling Cppcheck without --suppress=objectIndex
    and --suppress=unknownMacro possible
  CI|Windows: Get off of deprecated image "windows-2019"

  CI: Adapt to breaking changes in GitHub Actions

comment:2 by Bruce Dubbs, 5 weeks ago

Summary: expat-2.7.2expat-2.7.3

Now version 2.7.3.

comment:3 by Bruce Dubbs, 4 weeks ago

Resolution: fixed
Status: newclosed

Fixed at commit 9e2fa9a05d3 

Update to vim-9.1.1806.
Update to iana-etc-20250926.
Update to coreutils-9.8.
Update to expat-2.7.3 (Security release).
Update to linux-6.16.9.
Update to markupsafe-3.0.3.
Update to meson-1.9.1.
Update to openssl-3.5.3.
Update to util-linux-2.41.2.

comment:4 by Douglas R. Reno, 4 weeks ago

SA-12.4-005 issued.

Note: See TracTickets for help on using tickets.