Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 17 Jan 2022 11:54:56 -0800
From: Alan Coopersmith <alan.coopersmith@...cle.com>
To: oss-security@...ts.openwall.com
Subject: Expat 2.4.3 released, includes 8 security fixes

 From https://blog.hartwork.org/posts/expat-2-4-3-released/ :

>  2022-01-15 15:58
> 
> libexpat is a fast streaming XML parser. Alongside libxml2, Expat is one of the most widely used software libre XML parsers written in C, precisely C99. It is cross-platform and licensed under the MIT license.
> 
> Expat 2.4.3 has been released earlier today. Besides two minor fixes to the build system, this release is about security fixes. There is a total of 8 CVEs fixed, all related to fixed-size integer math (integer overflow and invalid shifts) near memory allocation. Impact is denial of service, or more.
> 
>     CVE-2021-45960
>     CVE-2021-46143
>     CVE-2022-22822
>     CVE-2022-22823
>     CVE-2022-22824
>     CVE-2022-22825
>     CVE-2022-22826
>     CVE-2022-22827
> 
> For more details, please check out the change log <https://github.com/libexpat/libexpat/blob/R_2_4_3/expat/Changes>.
> 
> If you maintain Expat packaging or a bundled copy of Expat or a pinned version of Expat somewhere, please update to 2.4.3. Thank you!
> 
> Sebastian Pipping

 From https://github.com/libexpat/libexpat/blob/R_2_4_3/expat/Changes :

> Release 2.4.3 Sun January 16 2022
>         Security fixes:
>        #531 #534  CVE-2021-45960 -- Fix issues with left shifts by >=29 places
>                     resulting in
>                       a) realloc acting as free
>                       b) realloc allocating too few bytes
>                       c) undefined behavior
>                     depending on architecture and precise value
>                     for XML documents with >=2^27+1 prefixed attributes
>                     on a single XML tag a la
>                     "<r xmlns:a='[..]' a:a123='[..]' [..] />"
>                     where XML_ParserCreateNS is used to create the parser
>                     (which needs argument "-n" when running xmlwf).
>                     Impact is denial of service, or more.
>        #532 #538  CVE-2021-46143 (ZDI-CAN-16157) -- Fix integer overflow
>                     on variable m_groupSize in function doProlog leading
>                     to realloc acting as free.
>                     Impact is denial of service or more.
>             #539  CVE-2022-22822 to CVE-2022-22827 -- Prevent integer overflows
>                     near memory allocation at multiple places.  Mitre assigned
>                     a dedicated CVE for each involved internal C function:
>                     - CVE-2022-22822 for function addBinding
>                     - CVE-2022-22823 for function build_model
>                     - CVE-2022-22824 for function defineAttribute
>                     - CVE-2022-22825 for function lookup
>                     - CVE-2022-22826 for function nextScaffoldPart
>                     - CVE-2022-22827 for function storeAtts
>                     Impact is denial of service or more.
> 
>         Other changes:
>             #535  CMake: Make call to file(GENERATE [..]) work for CMake <3.19
>             #541  Autotools|CMake: MinGW: Make run.sh(.in) work for Cygwin
>                     and MSYS2 by not going through Wine on these platforms
>        #527 #528  Address compiler warnings
>        #533 #543  Version info bumped from 9:2:8 to 9:3:8;
>                     see https://verbump.de/ for what these numbers do
> 
>         Infrastructure:
>             #536  CI: Check for realistic minimum CMake version
>        #529 #539  CI: Cover compilation with -m32
>             #529  CI: Store coverage reports as artifacts for download
>             #528  CI: Upgrade Clang from 11 to 13
> 
>         Special thanks to:
>             An anonymous whitehat
>             Christopher Degawa
>             J. Peter Mugaas
>             Tyson Smith
>                  and
>             GCC Farm Project
>             Trend Micro Zero Day Initiative

-- 
         -Alan Coopersmith-                 alan.coopersmith@...cle.com
          Oracle Solaris Engineering - https://blogs.oracle.com/solaris

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.