Hi! A quick heads-up that there are multiple security fixes upcoming in Expat release 2.4.5 in a few days. I will start requesting CVEs later today. Best, Sebastian
Thanks for reporting!
CVE-2022-25313 (https://github.com/libexpat/libexpat/pull/558): In Expat (aka libexpat) before 2.4.5, an attacker can trigger stack exhaustion in build_model via a large nesting depth in the DTD element. CVE-2022-25314 (https://github.com/libexpat/libexpat/pull/560): In Expat (aka libexpat) before 2.4.5, there is an integer overflow in copyString. CVE-2022-25315 (https://github.com/libexpat/libexpat/pull/559): In Expat (aka libexpat) before 2.4.5, there is an integer overflow in storeRawNames.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=05a3f5ee4da9487f6019e3578701cbd6ee775e78 commit 05a3f5ee4da9487f6019e3578701cbd6ee775e78 Author: Sebastian Pipping <sping@gentoo.org> AuthorDate: 2022-02-18 23:21:22 +0000 Commit: Sebastian Pipping <sping@gentoo.org> CommitDate: 2022-02-18 23:21:22 +0000 dev-libs/expat: 2.4.5 Bug: https://bugs.gentoo.org/833431 Signed-off-by: Sebastian Pipping <sping@gentoo.org> Package-Manager: Portage-3.0.30, Repoman-3.0.3 dev-libs/expat/Manifest | 1 + dev-libs/expat/expat-2.4.5.ebuild | 94 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 95 insertions(+)
Thanks!
I have no knowlegde about how much effort it is to create a GLSA. I'm tempted to vote for a GLSA with this one (due to what I wrote in the upstream change log).
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d81dcbd9bb7da73dc8bd98d6ce7f6ab5d0aebd83 commit d81dcbd9bb7da73dc8bd98d6ce7f6ab5d0aebd83 Author: Sebastian Pipping <sping@gentoo.org> AuthorDate: 2022-02-20 17:54:36 +0000 Commit: Sebastian Pipping <sping@gentoo.org> CommitDate: 2022-02-20 17:54:36 +0000 dev-libs/expat: 2.4.6 Bug: https://bugs.gentoo.org/833431 Signed-off-by: Sebastian Pipping <sping@gentoo.org> Package-Manager: Portage-3.0.30, Repoman-3.0.3 dev-libs/expat/Manifest | 1 + dev-libs/expat/expat-2.4.6.ebuild | 94 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 95 insertions(+)
2.4.5 turned out to have a regression from one of the vulnerability fixes. Hence there is 2.4.6 with a fix and a new regression test case now. I suggest we stabilize 2.4.6 and then get both 2.4.4 and 2.4.5 out of the tree. Does that sound like the right way forward?
(In reply to Sebastian Pipping from comment #7) > 2.4.5 turned out to have a regression from one of the vulnerability fixes. > Hence there is 2.4.6 with a fix and a new regression test case now. > > I suggest we stabilize 2.4.6 and then get both 2.4.4 and 2.4.5 out of the > tree. > Does that sound like the right way forward? Sounds good to me! I'll go ahead and move over the stablereq.
Please cleanup, thanks!
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=04937f9ebb7cadfad287c09b327d95803d9fcd35 commit 04937f9ebb7cadfad287c09b327d95803d9fcd35 Author: Sebastian Pipping <sping@gentoo.org> AuthorDate: 2022-02-22 17:04:56 +0000 Commit: Sebastian Pipping <sping@gentoo.org> CommitDate: 2022-02-22 17:04:56 +0000 dev-libs/expat: Drop vulnerable Bug: https://bugs.gentoo.org/833431 Signed-off-by: Sebastian Pipping <sping@gentoo.org> Package-Manager: Portage-3.0.30, Repoman-3.0.3 dev-libs/expat/Manifest | 2 - dev-libs/expat/expat-2.4.4.ebuild | 94 --------------------------------------- dev-libs/expat/expat-2.4.5.ebuild | 94 --------------------------------------- 3 files changed, 190 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8b880213b94234eba5e216a0742e37941d7446cc commit 8b880213b94234eba5e216a0742e37941d7446cc Author: Sam James <sam@gentoo.org> AuthorDate: 2022-02-26 19:06:59 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-02-26 19:06:59 +0000 dev-libs/libwbxml: fix compatibility with newer expat Bug: https://bugs.gentoo.org/833431 Signed-off-by: Sam James <sam@gentoo.org> .../files/libwbxml-0.11.7-expat-compat-fixes.patch | 116 +++++++++++++++++++++ dev-libs/libwbxml/libwbxml-0.11.7-r1.ebuild | 37 +++++++ 2 files changed, 153 insertions(+)
GLSA request filed
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=03f0a34b2dd087d0388307c6a72febd44202bb20 commit 03f0a34b2dd087d0388307c6a72febd44202bb20 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2022-09-29 14:24:39 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-09-29 14:48:02 +0000 [ GLSA 202209-24 ] Expat: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/791703 Bug: https://bugs.gentoo.org/830422 Bug: https://bugs.gentoo.org/831918 Bug: https://bugs.gentoo.org/833431 Bug: https://bugs.gentoo.org/870097 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202209-24.xml | 61 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 61 insertions(+)
GLSA released, all done!