Follow @Openwall on Twitter for new release announcements and other news
[<prev] [day] [month] [year] [list] 
Message-ID: <4bc72c0f-245d-4498-913a-146887651415@oracle.com>
Date: Mon, 1 Dec 2025 16:45:33 -0800
From: Alan Coopersmith <alan.coopersmith@...cle.com>
To: oss-security@...ts.openwall.com
Subject: expat looking for help with another unfixed non-public
 denial-of-service vulnerability [CVE-2025-66382]

https://github.com/libexpat/libexpat/issues/1076 notes:

> Hi!
> 
> Just a quick note that there is another unfixed vulnerability in Expat on my
> desk by now:
> 
>   - It's been reported on September 25th by a human (not fuzzing)
>   - The impact is denial of service
>   - To be more concrete: A crafted file of size ~2 MiB can cause 25–100 seconds
>      processing time, depending on the used hardware.
> 
> My own priorities are elsewhere at the moment. Please reach out if:
> 
>   - you want to help finding a true fix and
>   - you are okay with signing a freeform NDA (to keep the vulnerability details
>      confidential until a fix has made its way into Git master).
> 
> It's not going to be as complex as resolving recursion for Expat 2.7.0 but
> the path forward for a fix is not clear yet.
> 
> Best, Sebastian
> 
> PS: Comments are intentionally closed, please reach out via the e-mail in my
> profile, instead.

[note that I'm just passing this along - if you want to help, contact Sebastian
  via the link to his profile from the github issue, not me.]

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.