Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Fri, 15 Mar 2024 09:57:05 -0700
From: Alan Coopersmith <alan.coopersmith@...cle.com>
To: oss-security@...ts.openwall.com
Subject: Expat 2.6.2 released, includes security fixes

https://blog.hartwork.org/posts/expat-2-6-2-released/ (published 2024-03-13)
announces the release of Expat 2.6.2, with security fixes:

> Regarding actual release content, most importantly, this release fixes the
> security issue CVE-2024-28757 that can be used to cause denial of service
> for code like…
> 
>     XML_Parser parser = XML_ParserCreate(NULL);
>     XML_Parser ext_parser
>       = XML_ExternalEntityParserCreate(parser, NULL, NULL);
>     enum XML_Status status
>       = XML_Parse(ext_parser, doc, (int)strlen(doc), XML_TRUE);
> 
> …where all input is sent to the external parser and none to the parent
> regular parser.
> 
> The commit message of commit 1d50b80cf31de87750103656f6eb693746854aa8
> explains the problem and solution in more detail.
> 
> There is also a bugfix to reject direct parameter entity recursion and to
> avoid the related undefined behavior. The issue was uncovered by
> ClusterFuzz/OSS-Fuzz after 20+ years of being unreported; that speaks
> volumes for the value of fuzzing.

Further details on CVE-2024-28757 and its fix can be seen at:
   https://github.com/libexpat/libexpat/issues/839
   https://github.com/libexpat/libexpat/pull/842
   https://github.com/libexpat/libexpat/commit/1d50b80cf31de87750103656f6eb693746854aa8
   https://github.com/libexpat/libexpat/commit/072eca0b72373da103ce15f8f62d1d7b52695454

The blog also points to the call for help maintaining libexpat in the Changelog
at https://github.com/libexpat/libexpat/blob/R_2_6_2/expat/Changes which notes
that items that need someone to work on include:

!! - <blink>fixing a complex non-public security issue</blink>,              !!

!! - teaming up on researching and fixing future security reports and        !!
!!   ClusterFuzz findings with few-days-max response times in communication  !!
!!   in order to (1) have a sound fix ready before the end of a 90 days      !!
!!   grace period and (2) in a sustainable manner,                           !!

-- 
         -Alan Coopersmith-                 alan.coopersmith@...cle.com
          Oracle Solaris Engineering - https://blogs.oracle.com/solaris

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.