Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 15 Mar 2024 09:57:05 -0700
From: Alan Coopersmith <>
Subject: Expat 2.6.2 released, includes security fixes (published 2024-03-13)
announces the release of Expat 2.6.2, with security fixes:

> Regarding actual release content, most importantly, this release fixes the
> security issue CVE-2024-28757 that can be used to cause denial of service
> for code like…
>     XML_Parser parser = XML_ParserCreate(NULL);
>     XML_Parser ext_parser
>       = XML_ExternalEntityParserCreate(parser, NULL, NULL);
>     enum XML_Status status
>       = XML_Parse(ext_parser, doc, (int)strlen(doc), XML_TRUE);
> …where all input is sent to the external parser and none to the parent
> regular parser.
> The commit message of commit 1d50b80cf31de87750103656f6eb693746854aa8
> explains the problem and solution in more detail.
> There is also a bugfix to reject direct parameter entity recursion and to
> avoid the related undefined behavior. The issue was uncovered by
> ClusterFuzz/OSS-Fuzz after 20+ years of being unreported; that speaks
> volumes for the value of fuzzing.

Further details on CVE-2024-28757 and its fix can be seen at:

The blog also points to the call for help maintaining libexpat in the Changelog
at which notes
that items that need someone to work on include:

!! - <blink>fixing a complex non-public security issue</blink>,              !!

!! - teaming up on researching and fixing future security reports and        !!
!!   ClusterFuzz findings with few-days-max response times in communication  !!
!!   in order to (1) have a sound fix ready before the end of a 90 days      !!
!!   grace period and (2) in a sustainable manner,                           !!

         -Alan Coopersmith-       
          Oracle Solaris Engineering -

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.