expat-2.2.5-4.el8.3

エラータID: AXSA:2022-3114:01

Release date: 
Wednesday, March 16, 2022 - 16:53
Subject: 
expat-2.2.5-4.el8.3
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
High
Description: 

Expat is a C library for parsing XML documents.

Security Fix(es):

* expat: Malformed 2- and 3-byte UTF-8 sequences can lead to arbitrary code execution (CVE-2022-25235)
* expat: Namespace-separator characters in "xmlns[:prefix]" attribute values can lead to arbitrary code execution (CVE-2022-25236)
* expat: Integer overflow in storeRawNames() (CVE-2022-25315)
* expat: Large number of prefixed XML attributes on a single tag can crash libexpat (CVE-2021-45960)
* expat: Integer overflow in doProlog in xmlparse.c (CVE-2021-46143)
* expat: Integer overflow in addBinding in xmlparse.c (CVE-2022-22822)
* expat: Integer overflow in build_model in xmlparse.c (CVE-2022-22823)
* expat: Integer overflow in defineAttribute in xmlparse.c (CVE-2022-22824)
* expat: Integer overflow in lookup in xmlparse.c (CVE-2022-22825)
* expat: Integer overflow in nextScaffoldPart in xmlparse.c (CVE-2022-22826)
* expat: Integer overflow in storeAtts in xmlparse.c (CVE-2022-22827)
* expat: Integer overflow in function XML_GetBuffer (CVE-2022-23852)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2021-45960
In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or more) places in the storeAtts function in xmlparse.c can lead to realloc misbehavior (e.g., allocating too few bytes, or only freeing memory).
CVE-2021-46143
In doProlog in xmlparse.c in Expat (aka libexpat) before 2.4.3, an integer overflow exists for m_groupSize.
CVE-2022-22822
addBinding in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
CVE-2022-22823
build_model in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
CVE-2022-22824
defineAttribute in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
CVE-2022-22825
lookup in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
CVE-2022-22826
nextScaffoldPart in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
CVE-2022-22827
storeAtts in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
CVE-2022-23852
Expat (aka libexpat) before 2.4.4 has a signed integer overflow in XML_GetBuffer, for configurations with a nonzero XML_CONTEXT_BYTES.
CVE-2022-25235
xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of encoding, such as checks for whether a UTF-8 character is valid in a certain context.
CVE-2022-25236
xmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to insert namespace-separator characters into namespace URIs.
CVE-2022-25315
In Expat (aka libexpat) before 2.4.5, there is an integer overflow in storeRawNames.

Solution: 

Update packages.

CVEs: 
CVE-2021-45960
In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or more) places in the storeAtts function in xmlparse.c can lead to realloc misbehavior (e.g., allocating too few bytes, or only freeing memory).
CVE-2021-46143
In doProlog in xmlparse.c in Expat (aka libexpat) before 2.4.3, an integer overflow exists for m_groupSize.
CVE-2022-22822
addBinding in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
CVE-2022-22823
build_model in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
CVE-2022-22824
defineAttribute in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
CVE-2022-22825
lookup in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
CVE-2022-22826
nextScaffoldPart in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
CVE-2022-22827
storeAtts in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
CVE-2022-23852
Expat (aka libexpat) before 2.4.4 has a signed integer overflow in XML_GetBuffer, for configurations with a nonzero XML_CONTEXT_BYTES.
CVE-2022-25235
xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of encoding, such as checks for whether a UTF-8 character is valid in a certain context.
CVE-2022-25236
xmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to insert namespace-separator characters into namespace URIs.
CVE-2022-25315
In Expat (aka libexpat) before 2.4.5, there is an integer overflow in storeRawNames.
Additional Info: 

N/A

Download: 

SRPMS
  1. expat-2.2.5-4.el8.3.src.rpm
    MD5: 42d178a5c7ccb643b8c3d7cde123db16
    SHA-256: a1b643b357e11760fd7d2a721740f62019a0cbf791936622dce159d877f48b54
    Size: 7.92 MB

Asianux Server 8 for x86_64
  1. expat-2.2.5-4.el8.3.x86_64.rpm
    MD5: 0fa3eab125a1d4be805c52a5bd1c2b55
    SHA-256: 77cd8804805bb618e5fec92e1a31075516f29c14551f572ee50ef690772fd754
    Size: 111.71 kB
  2. expat-devel-2.2.5-4.el8.3.x86_64.rpm
    MD5: 674065ae8de252a8f001db02930de8bc
    SHA-256: cb7c82eef4249bae5ccf77296322c86cffd927b9a9f3c2fad033d27921de0411
    Size: 55.41 kB
  3. expat-2.2.5-4.el8.3.i686.rpm
    MD5: 5e475382472caaf445bf9fd30f2e7029
    SHA-256: 65be9740ce0c4193dc05338cea2f4d344e9cf700adee6581334ee2b73e9d44b1
    Size: 111.49 kB
  4. expat-devel-2.2.5-4.el8.3.i686.rpm
    MD5: 3c11b8091fc35a03d17d2ac05105d5c3
    SHA-256: fb55c9327ee5986b49d835cfdccc2167a42a4b977f6889a98e5dc48a67ab2d95
    Size: 55.44 kB