From: Adolf Belka <adolf.belka@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH] expat: Update to version 2.4.5 - Security/CVE fixes
Date: Mon, 21 Feb 2022 10:03:33 +0100 [thread overview]
Message-ID: <73c41b8a-d75f-452a-69e5-b52e2f579f52@ipfire.org> (raw)
In-Reply-To: <20220219150656.4050192-1-adolf.belka@ipfire.org>
[-- Attachment #1: Type: text/plain, Size: 5334 bytes --]
Apparently the fix for CVE-2022-25313 caused a regression so expat-2.4.6
has been released with a fix. Please don't merge the below patch and I
will issue a v2 version with 2.4.6 later today.
Thanks,
Adolf.
On 19/02/2022 16:06, Adolf Belka wrote:
> - Update from 2.4.4 to 2.4.5
> - Update of rootfile
> - Changelog
> Release 2.4.5 Fri February 18 2022
> Security fixes:
> #562 CVE-2022-25235 -- Passing malformed 2- and 3-byte UTF-8
> sequences (e.g. from start tag names) to the XML
> processing application on top of Expat can cause
> arbitrary damage (e.g. code execution) depending
> on how invalid UTF-8 is handled inside the XML
> processor; validation was not their job but Expat's.
> Exploits with code execution are known to exist.
> #561 CVE-2022-25236 -- Passing (one or more) namespace separator
> characters in "xmlns[:prefix]" attribute values
> made Expat send malformed tag names to the XML
> processor on top of Expat which can cause
> arbitrary damage (e.g. code execution) depending
> on such unexpectable cases are handled inside the XML
> processor; validation was not their job but Expat's.
> Exploits with code execution are known to exist.
> #558 CVE-2022-25313 -- Fix stack exhaustion in doctype parsing
> that could be triggered by e.g. a 2 megabytes
> file with a large number of opening braces.
> Expected impact is denial of service or potentially
> arbitrary code execution.
> #560 CVE-2022-25314 -- Fix integer overflow in function copyString;
> only affects the encoding name parameter at parser creation
> time which is often hardcoded (rather than user input),
> takes a value in the gigabytes to trigger, and a 64-bit
> machine. Expected impact is denial of service.
> #559 CVE-2022-25315 -- Fix integer overflow in function storeRawNames;
> needs input in the gigabytes and a 64-bit machine.
> Expected impact is denial of service or potentially
> arbitrary code execution.
> Other changes:
> #557 #564 Version info bumped from 9:4:8 to 9:5:8;
> see https://verbump.de/ for what these numbers do
>
> Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
> ---
> config/rootfiles/common/expat | 21 ++++++++++-----------
> lfs/expat | 7 ++++---
> 2 files changed, 14 insertions(+), 14 deletions(-)
>
> diff --git a/config/rootfiles/common/expat b/config/rootfiles/common/expat
> index 47ce600ad..1ceffee67 100644
> --- a/config/rootfiles/common/expat
> +++ b/config/rootfiles/common/expat
> @@ -2,21 +2,20 @@
> #usr/include/expat.h
> #usr/include/expat_config.h
> #usr/include/expat_external.h
> -#usr/lib/cmake/expat-2.4.4
> -#usr/lib/cmake/expat-2.4.4/expat-config-version.cmake
> -#usr/lib/cmake/expat-2.4.4/expat-config.cmake
> -#usr/lib/cmake/expat-2.4.4/expat-noconfig.cmake
> -#usr/lib/cmake/expat-2.4.4/expat.cmake
> -#usr/lib/libexpat.a
> +#usr/lib/cmake/expat-2.4.5
> +#usr/lib/cmake/expat-2.4.5/expat-config-version.cmake
> +#usr/lib/cmake/expat-2.4.5/expat-config.cmake
> +#usr/lib/cmake/expat-2.4.5/expat-noconfig.cmake
> +#usr/lib/cmake/expat-2.4.5/expat.cmake
> #usr/lib/libexpat.la
> #usr/lib/libexpat.so
> usr/lib/libexpat.so.1
> -usr/lib/libexpat.so.1.8.4
> +usr/lib/libexpat.so.1.8.5
> #usr/lib/pkgconfig/expat.pc
> #usr/share/doc/expat
> -#usr/share/doc/expat-2.4.4
> -#usr/share/doc/expat-2.4.4/ok.min.css
> -#usr/share/doc/expat-2.4.4/reference.html
> -#usr/share/doc/expat-2.4.4/style.css
> +#usr/share/doc/expat-2.4.5
> +#usr/share/doc/expat-2.4.5/ok.min.css
> +#usr/share/doc/expat-2.4.5/reference.html
> +#usr/share/doc/expat-2.4.5/style.css
> #usr/share/doc/expat/AUTHORS
> #usr/share/doc/expat/changelog
> diff --git a/lfs/expat b/lfs/expat
> index 3898889ad..e0b3040b5 100644
> --- a/lfs/expat
> +++ b/lfs/expat
> @@ -24,7 +24,7 @@
>
> include Config
>
> -VER = 2.4.4
> +VER = 2.4.5
>
> THISAPP = expat-$(VER)
> DL_FILE = $(THISAPP).tar.bz2
> @@ -40,7 +40,7 @@ objects = $(DL_FILE)
>
> $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
>
> -$(DL_FILE)_MD5 = 99392ce3377777ab0dc8b0f14beda793
> +$(DL_FILE)_MD5 = e5ad7a3aaaecff1e4e0cae81dceef182
>
> install : $(TARGET)
>
> @@ -72,7 +72,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
> @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
> $(UPDATE_AUTOMAKE)
> cd $(DIR_APP) && ./configure \
> - --prefix=/usr
> + --prefix=/usr \
> + --disable-static
> cd $(DIR_APP) && make $(MAKETUNING)
> cd $(DIR_APP) && make install
> cd $(DIR_APP) && install -v -m755 -d /usr/share/doc/$(THISAPP)
--
Sent from my laptop
prev parent reply other threads:[~2022-02-21 9:03 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-02-19 15:06 Adolf Belka
2022-02-21 9:03 ` Adolf Belka [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=73c41b8a-d75f-452a-69e5-b52e2f579f52@ipfire.org \
--to=adolf.belka@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox