CVE-2021-45960: In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or more) places in the storeAtts function in xmlparse.c can lead to realloc misbehavior (e.g., allocating too few bytes, or only freeing memory). Patch: https://github.com/libexpat/libexpat/pull/534
I'll do a release with a fix (and another vuln fixed) upstream, in a few days.
(In reply to Sebastian Pipping from comment #1) > I'll do a release with a fix (and another vuln fixed) upstream, in a few > days. No Gentoo bug?
(In reply to John Helmert III from comment #2) > No Gentoo bug? Sorry, I don't understand. Gentoo is affected and I'll bump the ebuild to 2.4.3 with the fix shortly after release. Does that answer the question?
Please remember to file security bugs for security issues in your packages when you notice them
(In reply to John Helmert III from comment #4) > Please remember to file security bugs for security issues in your packages > when you notice them Point taken.
I have requested one more CVE from Mitre (for https://github.com/libexpat/libexpat/issues/532). My vote for making this a multi-CVE ticket about everything integer overflow for 2.4.3.
CVE-2021-46143 (https://github.com/libexpat/libexpat/issues/532): In doProlog in xmlparse.c in Expat (aka libexpat) before 2.4.3, an integer overflow exists for m_groupSize.
I did not expect to get 6(!) CVEs more from a single pull request (https://github.com/libexpat/libexpat/pull/539) but it fixes integer overflows in 6 different functions (in file lib/xmlparse.c) and I guess that made Mitre decide this way: CVE | function ---------------+----------------- CVE-2022-22822 | addBinding CVE-2022-22823 | build_model CVE-2022-22824 | defineAttribute CVE-2022-22825 | lookup CVE-2022-22826 | nextScaffoldPart CVE-2022-22827 | storeAtts Are there any concerns about me adding those 6 CVEs to the alias field in here?
No concern, if there are CVEs that will be addressed by the Gentoo bug then please add those CVEs to the alias. Since the CVEs will all be fixed by this one PR which seems to be planned to make it into the next release, it is appropriate to add them all to this bug. I'll go ahead and do it while I'm here. Thanks! Also, MITRE doesn't pay that much attention to the CVEs that people request, so if someone requested 6 CVEs for these issues MITRE won't necessarily know that they all have the same root issue. If you'd like, you can request their rejection at https://cveform.mitre.org
(In reply to John Helmert III from comment #9) > I'll go ahead and do it while I'm here. Thanks! Thank you! > If you'd like, you can request their rejection at https://cveform.mitre.org I'm good, I respect their decision. And it's out there, let's stay with status quo.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f37a82a6ab4bee144e8a0824a77c8bb8176437db commit f37a82a6ab4bee144e8a0824a77c8bb8176437db Author: Sebastian Pipping <sping@gentoo.org> AuthorDate: 2022-01-16 14:26:40 +0000 Commit: Sebastian Pipping <sping@gentoo.org> CommitDate: 2022-01-16 14:28:04 +0000 dev-libs/expat: 2.4.3 Bug: https://bugs.gentoo.org/830422 Signed-off-by: Sebastian Pipping <sping@gentoo.org> Package-Manager: Portage-3.0.30, Repoman-3.0.3 dev-libs/expat/Manifest | 1 + dev-libs/expat/expat-2.4.3.ebuild | 94 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 95 insertions(+)
Please cleanup.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=04a1b80c37a8f9964c67bd8aaa7dc9913d6c60ae commit 04a1b80c37a8f9964c67bd8aaa7dc9913d6c60ae Author: Sebastian Pipping <sping@gentoo.org> AuthorDate: 2022-01-23 20:51:56 +0000 Commit: Sebastian Pipping <sping@gentoo.org> CommitDate: 2022-01-23 20:51:56 +0000 dev-libs/expat: Drop vulnerable Bug: https://bugs.gentoo.org/830422 Signed-off-by: Sebastian Pipping <sping@gentoo.org> Package-Manager: Portage-3.0.30, Repoman-3.0.3 dev-libs/expat/Manifest | 2 - dev-libs/expat/expat-2.4.1.ebuild | 94 --------------------------------------- dev-libs/expat/expat-2.4.2.ebuild | 94 --------------------------------------- 3 files changed, 190 deletions(-)
GLSA request filed
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=03f0a34b2dd087d0388307c6a72febd44202bb20 commit 03f0a34b2dd087d0388307c6a72febd44202bb20 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2022-09-29 14:24:39 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-09-29 14:48:02 +0000 [ GLSA 202209-24 ] Expat: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/791703 Bug: https://bugs.gentoo.org/830422 Bug: https://bugs.gentoo.org/831918 Bug: https://bugs.gentoo.org/833431 Bug: https://bugs.gentoo.org/870097 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202209-24.xml | 61 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 61 insertions(+)
GLSA released, all done!
