Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 831918 (CVE-2022-23852, CVE-2022-23990) - <dev-libs/expat-2.4.4: multiple vulnerabilities
Summary: <dev-libs/expat-2.4.4: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2022-23852, CVE-2022-23990
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://github.com/libexpat/libexpat/...
Whiteboard: A3 [glsa+]
Keywords:
Depends on: 832351
Blocks:
  Show dependency tree
 
Reported: 2022-01-23 21:10 UTC by Sebastian Pipping
Modified: 2022-09-29 14:53 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sebastian Pipping gentoo-dev 2022-01-23 21:10:16 UTC
Another integer overflow that's unfixed in 2.4.3 has been reported to me.  CVE is upcoming, upstream PR is https://github.com/libexpat/libexpat/pull/550 .  Will be fixed in release 2.4.4.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-01-23 22:00:33 UTC
Thanks for reporting! Any further impact than DoS?
Comment 2 Sebastian Pipping gentoo-dev 2022-01-23 22:08:37 UTC
(In reply to John Helmert III from comment #1)
> Thanks for reporting! Any further impact than DoS?

Unclear, could be, but I'm not aware if so.
Comment 3 Sebastian Pipping gentoo-dev 2022-01-26 04:02:52 UTC
Another integer overflow about to be fixed in 2.4.4, CVE requested, PR https://github.com/libexpat/libexpat/pull/551
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-01-26 14:16:16 UTC
Let's keep the summary unversioned until a fixed version is in tree, so we can tell from just the summary that we have no fixed version.
Comment 5 filip ambroz 2022-01-27 10:27:48 UTC
[CVE-2022-23990]
Expat (aka libexpat) before 2.4.4 has an integer overflow in the doProlog function.

URL: https://github.com/libexpat/libexpat/pull/551

Fixed in 2.4.4
Comment 6 Larry the Git Cow gentoo-dev 2022-01-30 00:39:28 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7fd316fb024f9d26a1931314740c3ac4ca29f806

commit 7fd316fb024f9d26a1931314740c3ac4ca29f806
Author:     Sebastian Pipping <sping@gentoo.org>
AuthorDate: 2022-01-30 00:38:23 +0000
Commit:     Sebastian Pipping <sping@gentoo.org>
CommitDate: 2022-01-30 00:39:23 +0000

    dev-libs/expat: 2.4.4
    
    Bug: https://bugs.gentoo.org/831918
    Signed-off-by: Sebastian Pipping <sping@gentoo.org>
    Package-Manager: Portage-3.0.30, Repoman-3.0.3

 dev-libs/expat/Manifest           |  1 +
 dev-libs/expat/expat-2.4.4.ebuild | 94 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 95 insertions(+)
Comment 7 Larry the Git Cow gentoo-dev 2022-02-02 19:12:10 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1e99f530165be022589b9bb29ee68e830c440ea9

commit 1e99f530165be022589b9bb29ee68e830c440ea9
Author:     Sebastian Pipping <sping@gentoo.org>
AuthorDate: 2022-02-02 19:11:01 +0000
Commit:     Sebastian Pipping <sping@gentoo.org>
CommitDate: 2022-02-02 19:11:13 +0000

    dev-libs/expat: Drop vulnerable
    
    Bug: https://bugs.gentoo.org/831918
    Signed-off-by: Sebastian Pipping <sping@gentoo.org>
    Package-Manager: Portage-3.0.30, Repoman-3.0.3

 dev-libs/expat/Manifest           |  1 -
 dev-libs/expat/expat-2.4.3.ebuild | 94 ---------------------------------------
 2 files changed, 95 deletions(-)
Comment 8 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-02-03 01:20:54 UTC
Thanks!
Comment 9 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-26 16:53:05 UTC
GLSA request filed
Comment 10 Larry the Git Cow gentoo-dev 2022-09-29 14:48:18 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=03f0a34b2dd087d0388307c6a72febd44202bb20

commit 03f0a34b2dd087d0388307c6a72febd44202bb20
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-09-29 14:24:39 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-09-29 14:48:02 +0000

    [ GLSA 202209-24 ] Expat: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/791703
    Bug: https://bugs.gentoo.org/830422
    Bug: https://bugs.gentoo.org/831918
    Bug: https://bugs.gentoo.org/833431
    Bug: https://bugs.gentoo.org/870097
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202209-24.xml | 61 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 61 insertions(+)
Comment 11 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-29 14:53:55 UTC
GLSA released, all done!