Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 878271 (CVE-2022-43680) - <dev-libs/expat-2.5.0: use-after free caused by overeager destruction of a shared DTD in out-of-memory situations
Summary: <dev-libs/expat-2.5.0: use-after free caused by overeager destruction of a sh...
Status: RESOLVED FIXED
Alias: CVE-2022-43680
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://github.com/libexpat/libexpat/...
Whiteboard: B3 [glsa+]
Keywords:
Depends on: 878275
Blocks:
  Show dependency tree
 
Reported: 2022-10-25 16:23 UTC by Sebastian Pipping
Modified: 2022-10-31 20:27 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sebastian Pipping gentoo-dev 2022-10-25 16:23:12 UTC 
.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-25 16:26:42 UTC 
Thanks for reporting!
Comment 2 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2022-10-28 08:17:35 UTC 
cleanup don
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-30 03:26:25 UTC 
Thanks!
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-31 15:21:55 UTC 
GLSA request filed
Comment 5 Larry the Git Cow gentoo-dev 2022-10-31 20:26:18 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=5f7a724017a6df6362f93b1d9b5115f952fc93d8

commit 5f7a724017a6df6362f93b1d9b5115f952fc93d8
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-10-31 20:22:43 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-10-31 20:25:50 +0000

    [ GLSA 202210-38 ] Expat: Denial of Service
    
    Bug: https://bugs.gentoo.org/878271
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202210-38.xml | 42 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)
Comment 6 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-31 20:27:27 UTC 
GLSA released, all done!