Opened 3 weeks ago

Closed 11 days ago

#5964 closed enhancement (fixed)

expat-2.8.2

Reported by: Bruce Dubbs Owned by: SecurityAdvisory
Priority: high Milestone: 13.1
Component: Book Version: git
Severity: normal Keywords:
Cc:

Description

New point version.

Change History (4)

comment:1 by Xi Ruoyao, 3 weeks ago

Priority: normalhigh

The Changes file mentions about a dozen of vulnerabilities.

comment:2 by Bruce Dubbs, 3 weeks ago

Release 2.8.2 Thu June 25 2026

        Security fixes:
           #1246  CVE-2026-50219 -- Disallow calls to functions
                    `XML_GetBuffer`, `XML_Parse`, `XML_ParseBuffer`,
                    `XML_ParserFree`, `XML_ParserReset` to guard e.g.
                    Expat bindings from memory corruption;
                    this CPython issue is related:
                    https://github.com/python/cpython/issues/146169
           #1267  CVE-2026-56131 -- Protect XML_ResumeParser from being called
                                    from a handler, plugging a hole in the fix
                                    to CVE-2026-50219
           #1272  CVE-2026-56132 -- Fix out-of-bound scaffolding index store
                                    in `doProlog`
     #1229 #1232  CVE-2026-56403 -- Integer overflow in `storeAtts`
           #1249  CVE-2026-56404 -- Integer overflow in `addBinding`
           #1251  CVE-2026-56405 -- Integer overflow in `getAttributeId`
           #1255  CVE-2026-56406 -- Integer overflow in `XML_ParseBuffer`
           #1262  CVE-2026-56407 -- Integer overflow in `textLen` handling
            #565  CVE-2026-56408 -- Integer overflow in `copyString`
                    (commit 16e2efd867ea8567ffa012210b52ef5918e20817)
           #1259  CVE-2026-56409 -- xmlwf: Integer overflow in output path join
           #1252  CVE-2026-56410 -- xmlwf: Integer overflow in
                    `resolveSystemId`
           #1263  CVE-2026-56411 -- xmlwf: Integer overflow in notation list
                    allocation
           #1278  CVE-2026-56412 -- Guard XML_TOK_DATA_CHARS handler calls in
                    `doCdataSection`, plugging a hole in the fix to
                    CVE-2026-50219

        Bug fixes:
           #1260  xmlwf: Escape names and base URI in meta output
           #1266  xmlwf: Pick a safe quote for notation system and public IDs

        Other changes:
           #1257  CMake|Autotools: Stop using /dev/urandom by default
     #1244 #1254  CMake: Fix guard for Unix sources of entropy
     #1183 #1270  CMake|Windows: Add missing export for symbol
                                 `XML_SetHashSalt16Bytes`
           #1236  CMake: Mark option EXPAT_OSSFUZZ_BUILD as advanced
           #1283  Limit output indentation for EXPAT_ENTITY_DEBUG=1 and
                    allow unlimited indentation via EXPAT_ENTITY_DEBUG=2
            #565  Replace some loops by use of `memcpy`, `strlen`, `wcslen`
           #1220  lib: Use a size_t for group sizes
           #1221  lib: Fix too-conservative integer overflow check when
                       appending raw name
           #1222  lib: Simplify attribute allocation/management logic
           #1224  Update fallthrough annotations to satisfy Clang and GCC
           #1226  lib: Remove unnecessary void * casts in random code
           #1228  lib: Reduce scope of locals in storeAtts
           #1230  lib: Count attributes with size_t variables
           #1238  Minor get-buffer improvements
     #1239 #1240  lib|tests: Include header expat_config.h first
           #1241  lib: Shrink size of XML_GetBuffer
           #1242  lib: Remove a legacy comment
           #1243  lib: XML_ParserReset: Extract repeated linked-list move logic
           #1243  lib: Unify entity free lists
           #1247  lib: Fix use of '0' as boolean literal
           #1248  lib: Make XML_Index overflow check more intuitive
           #1256  lib: Use size_t for counting string/URI lengths
           #1258  lib: XML_GetInputContext: Remove use of 0 for NULL
           #1261  Comment typo fixes
           #1275  Teach Memory Sanitizer semantics of randomization functions
     #1276 #1281  Version info bumped from 13:1:12 (libexpat*.so.1.12.1)
                    to 13:2:12 (libexpat*.so.1.12.2); see https://verbump.de/
                    for what these numbers do

        Infrastructure:
           #1231  perl-integration.yml: Bump to XML::Parser 2.59
           #1237  emscripten.yml: Bump from Ubuntu 22.04 to 24.04
     #1183 #1271  windows-build.yml: Cover completeness of file
                                     libexpat.def.cmake
           #1274  linux.yml: Make llvm-symbolizer available in CI

comment:3 by Bruce Dubbs, 2 weeks ago

Owner: changed from lfs-book to SecurityAdvisory

Fixed at commit 4a56fb5d78.

Leaving open for security advisories.

comment:4 by Bruce Dubbs, 11 days ago

Resolution: fixed
Status: newclosed

Advisory sa-13.0-138 has been issued.

Note: See TracTickets for help on using tickets.