Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 830422 (CVE-2021-45960, CVE-2021-46143, CVE-2022-22822, CVE-2022-22823, CVE-2022-22824, CVE-2022-22825, CVE-2022-22826, CVE-2022-22827) - <dev-libs/expat-2.4.3: multiple vulnerabilities
Summary: <dev-libs/expat-2.4.3: multiple vulnerabilities
Status: IN_PROGRESS
Alias: CVE-2021-45960, CVE-2021-46143, CVE-2022-22822, CVE-2022-22823, CVE-2022-22824, CVE-2022-22825, CVE-2022-22826, CVE-2022-22827
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://github.com/libexpat/libexpat/...
Whiteboard: B3 [glsa?]
Keywords:
Depends on: 831326
Blocks:
  Show dependency tree
 
Reported: 2022-01-01 22:04 UTC by John Helmert III
Modified: 2022-01-23 21:59 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III gentoo-dev Security 2022-01-01 22:04:49 UTC
CVE-2021-45960:

In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or more) places in the storeAtts function in xmlparse.c can lead to realloc misbehavior (e.g., allocating too few bytes, or only freeing memory).

Patch: https://github.com/libexpat/libexpat/pull/534
Comment 1 Sebastian Pipping gentoo-dev 2022-01-02 01:05:14 UTC
I'll do a release with a fix (and another vuln fixed) upstream, in a few days.
Comment 2 John Helmert III gentoo-dev Security 2022-01-02 05:29:13 UTC
(In reply to Sebastian Pipping from comment #1)
> I'll do a release with a fix (and another vuln fixed) upstream, in a few
> days.

No Gentoo bug?
Comment 3 Sebastian Pipping gentoo-dev 2022-01-02 14:10:42 UTC
(In reply to John Helmert III from comment #2)
> No Gentoo bug?

Sorry, I don't understand. Gentoo is affected and I'll bump the ebuild to 2.4.3 with the fix shortly after release. Does that answer the question?
Comment 4 John Helmert III gentoo-dev Security 2022-01-03 20:18:52 UTC
Please remember to file security bugs for security issues in your packages when you notice them
Comment 5 Sebastian Pipping gentoo-dev 2022-01-03 20:26:57 UTC
(In reply to John Helmert III from comment #4)
> Please remember to file security bugs for security issues in your packages
> when you notice them

Point taken.
Comment 6 Sebastian Pipping gentoo-dev 2022-01-04 19:35:54 UTC
I have requested one more CVE from Mitre (for https://github.com/libexpat/libexpat/issues/532).  My vote for making this a multi-CVE ticket about everything integer overflow for 2.4.3.
Comment 7 John Helmert III gentoo-dev Security 2022-01-06 07:40:04 UTC
CVE-2021-46143 (https://github.com/libexpat/libexpat/issues/532):

In doProlog in xmlparse.c in Expat (aka libexpat) before 2.4.3, an integer overflow exists for m_groupSize.
Comment 8 Sebastian Pipping gentoo-dev 2022-01-08 15:21:04 UTC
I did not expect to get 6(!) CVEs more from a single pull request (https://github.com/libexpat/libexpat/pull/539) but it fixes integer overflows in 6 different functions (in file lib/xmlparse.c) and I guess that made Mitre decide this way:

  CVE            | function
  ---------------+-----------------
  CVE-2022-22822 | addBinding
  CVE-2022-22823 | build_model
  CVE-2022-22824 | defineAttribute
  CVE-2022-22825 | lookup
  CVE-2022-22826 | nextScaffoldPart
  CVE-2022-22827 | storeAtts

Are there any concerns about me adding those 6 CVEs to the alias field in here?
Comment 9 John Helmert III gentoo-dev Security 2022-01-08 20:36:03 UTC
No concern, if there are CVEs that will be addressed by the Gentoo bug then please add those CVEs to the alias. Since the CVEs will all be fixed by this one PR which seems to be planned to make it into the next release, it is appropriate to add them all to this bug. I'll go ahead and do it while I'm here. Thanks!

Also, MITRE doesn't pay that much attention to the CVEs that people request, so if someone requested 6 CVEs for these issues MITRE won't necessarily know that they all have the same root issue. If you'd like, you can request their rejection at https://cveform.mitre.org
Comment 10 Sebastian Pipping gentoo-dev 2022-01-08 20:44:40 UTC
(In reply to John Helmert III from comment #9)
> I'll go ahead and do it while I'm here. Thanks!

Thank you!


> If you'd like, you can request their rejection at https://cveform.mitre.org

I'm good, I respect their decision.  And it's out there, let's stay with status quo.
Comment 11 Larry the Git Cow gentoo-dev 2022-01-16 14:28:18 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f37a82a6ab4bee144e8a0824a77c8bb8176437db

commit f37a82a6ab4bee144e8a0824a77c8bb8176437db
Author:     Sebastian Pipping <sping@gentoo.org>
AuthorDate: 2022-01-16 14:26:40 +0000
Commit:     Sebastian Pipping <sping@gentoo.org>
CommitDate: 2022-01-16 14:28:04 +0000

    dev-libs/expat: 2.4.3
    
    Bug: https://bugs.gentoo.org/830422
    Signed-off-by: Sebastian Pipping <sping@gentoo.org>
    Package-Manager: Portage-3.0.30, Repoman-3.0.3

 dev-libs/expat/Manifest           |  1 +
 dev-libs/expat/expat-2.4.3.ebuild | 94 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 95 insertions(+)
Comment 12 John Helmert III gentoo-dev Security 2022-01-23 18:37:14 UTC
Please cleanup.
Comment 13 Larry the Git Cow gentoo-dev 2022-01-23 20:53:39 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=04a1b80c37a8f9964c67bd8aaa7dc9913d6c60ae

commit 04a1b80c37a8f9964c67bd8aaa7dc9913d6c60ae
Author:     Sebastian Pipping <sping@gentoo.org>
AuthorDate: 2022-01-23 20:51:56 +0000
Commit:     Sebastian Pipping <sping@gentoo.org>
CommitDate: 2022-01-23 20:51:56 +0000

    dev-libs/expat: Drop vulnerable
    
    Bug: https://bugs.gentoo.org/830422
    Signed-off-by: Sebastian Pipping <sping@gentoo.org>
    Package-Manager: Portage-3.0.30, Repoman-3.0.3

 dev-libs/expat/Manifest           |  2 -
 dev-libs/expat/expat-2.4.1.ebuild | 94 ---------------------------------------
 dev-libs/expat/expat-2.4.2.ebuild | 94 ---------------------------------------
 3 files changed, 190 deletions(-)