From mboxrd@z Thu Jan  1 00:00:00 1970
From: Adolf Belka <adolf.belka@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH] expat: Update to version 2.4.5 - Security/CVE fixes
Date: Mon, 21 Feb 2022 10:03:33 +0100
Message-ID: <73c41b8a-d75f-452a-69e5-b52e2f579f52@ipfire.org>
In-Reply-To: <20220219150656.4050192-1-adolf.belka@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============8624392276483554065=="
List-Id: <development.lists.ipfire.org>

--===============8624392276483554065==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Apparently the fix for CVE-2022-25313 caused a regression so expat-2.4.6=20
has been released with a fix. Please don't merge the below patch and I=20
will issue a v2 version with 2.4.6 later today.

Thanks,
Adolf.

On 19/02/2022 16:06, Adolf Belka wrote:
> - Update from 2.4.4 to 2.4.5
> - Update of rootfile
> - Changelog
>     Release 2.4.5 Fri February 18 2022
>        Security fixes:
>              #562  CVE-2022-25235 -- Passing malformed 2- and 3-byte UTF-8
>                      sequences (e.g. from start tag names) to the XML
>                      processing application on top of Expat can cause
>                      arbitrary damage (e.g. code execution) depending
>                      on how invalid UTF-8 is handled inside the XML
>                      processor; validation was not their job but Expat's.
>                      Exploits with code execution are known to exist.
>              #561  CVE-2022-25236 -- Passing (one or more) namespace separa=
tor
>                      characters in "xmlns[:prefix]" attribute values
>                      made Expat send malformed tag names to the XML
>                      processor on top of Expat which can cause
>                      arbitrary damage (e.g. code execution) depending
>                      on such unexpectable cases are handled inside the XML
>                      processor; validation was not their job but Expat's.
>                      Exploits with code execution are known to exist.
>              #558  CVE-2022-25313 -- Fix stack exhaustion in doctype parsing
>                      that could be triggered by e.g. a 2 megabytes
>                      file with a large number of opening braces.
>                      Expected impact is denial of service or potentially
>                      arbitrary code execution.
>              #560  CVE-2022-25314 -- Fix integer overflow in function copyS=
tring;
>                      only affects the encoding name parameter at parser cre=
ation
>                      time which is often hardcoded (rather than user input),
>                      takes a value in the gigabytes to trigger, and a 64-bit
>                      machine.  Expected impact is denial of service.
>              #559  CVE-2022-25315 -- Fix integer overflow in function store=
RawNames;
>                      needs input in the gigabytes and a 64-bit machine.
>                      Expected impact is denial of service or potentially
>                      arbitrary code execution.
>        Other changes:
>              #557 #564  Version info bumped from 9:4:8 to 9:5:8;
>                      see https://verbump.de/ for what these numbers do
>=20
> Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
> ---
>   config/rootfiles/common/expat | 21 ++++++++++-----------
>   lfs/expat                     |  7 ++++---
>   2 files changed, 14 insertions(+), 14 deletions(-)
>=20
> diff --git a/config/rootfiles/common/expat b/config/rootfiles/common/expat
> index 47ce600ad..1ceffee67 100644
> --- a/config/rootfiles/common/expat
> +++ b/config/rootfiles/common/expat
> @@ -2,21 +2,20 @@
>   #usr/include/expat.h
>   #usr/include/expat_config.h
>   #usr/include/expat_external.h
> -#usr/lib/cmake/expat-2.4.4
> -#usr/lib/cmake/expat-2.4.4/expat-config-version.cmake
> -#usr/lib/cmake/expat-2.4.4/expat-config.cmake
> -#usr/lib/cmake/expat-2.4.4/expat-noconfig.cmake
> -#usr/lib/cmake/expat-2.4.4/expat.cmake
> -#usr/lib/libexpat.a
> +#usr/lib/cmake/expat-2.4.5
> +#usr/lib/cmake/expat-2.4.5/expat-config-version.cmake
> +#usr/lib/cmake/expat-2.4.5/expat-config.cmake
> +#usr/lib/cmake/expat-2.4.5/expat-noconfig.cmake
> +#usr/lib/cmake/expat-2.4.5/expat.cmake
>   #usr/lib/libexpat.la
>   #usr/lib/libexpat.so
>   usr/lib/libexpat.so.1
> -usr/lib/libexpat.so.1.8.4
> +usr/lib/libexpat.so.1.8.5
>   #usr/lib/pkgconfig/expat.pc
>   #usr/share/doc/expat
> -#usr/share/doc/expat-2.4.4
> -#usr/share/doc/expat-2.4.4/ok.min.css
> -#usr/share/doc/expat-2.4.4/reference.html
> -#usr/share/doc/expat-2.4.4/style.css
> +#usr/share/doc/expat-2.4.5
> +#usr/share/doc/expat-2.4.5/ok.min.css
> +#usr/share/doc/expat-2.4.5/reference.html
> +#usr/share/doc/expat-2.4.5/style.css
>   #usr/share/doc/expat/AUTHORS
>   #usr/share/doc/expat/changelog
> diff --git a/lfs/expat b/lfs/expat
> index 3898889ad..e0b3040b5 100644
> --- a/lfs/expat
> +++ b/lfs/expat
> @@ -24,7 +24,7 @@
>  =20
>   include Config
>  =20
> -VER        =3D 2.4.4
> +VER        =3D 2.4.5
>  =20
>   THISAPP    =3D expat-$(VER)
>   DL_FILE    =3D $(THISAPP).tar.bz2
> @@ -40,7 +40,7 @@ objects =3D $(DL_FILE)
>  =20
>   $(DL_FILE) =3D $(DL_FROM)/$(DL_FILE)
>  =20
> -$(DL_FILE)_MD5 =3D 99392ce3377777ab0dc8b0f14beda793
> +$(DL_FILE)_MD5 =3D e5ad7a3aaaecff1e4e0cae81dceef182
>  =20
>   install : $(TARGET)
>  =20
> @@ -72,7 +72,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
>   	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
>   	$(UPDATE_AUTOMAKE)
>   	cd $(DIR_APP) && ./configure \
> -		--prefix=3D/usr
> +		              --prefix=3D/usr \
> +		              --disable-static
>   	cd $(DIR_APP) && make $(MAKETUNING)
>   	cd $(DIR_APP) && make install
>   	cd $(DIR_APP) && install -v -m755 -d /usr/share/doc/$(THISAPP)

--=20
Sent from my laptop

--===============8624392276483554065==--