Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

Expat 2.6.2 released, includes security fixes

Related Vulnerabilities: CVE-2024-28757  
Source 
                							

                <!--X-Body-Begin-->
<!--X-User-Header-->

oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->

By Date

By Thread

</form>

<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
Expat 2.6.2 released, includes security fixes

<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->

From: Alan Coopersmith &lt;alan.coopersmith () oracle com&gt;

Date: Fri, 15 Mar 2024 09:57:05 -0700

<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->

<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
https://blog.hartwork.org/posts/expat-2-6-2-released/ (published 2024-03-13)
announces the release of Expat 2.6.2, with security fixes:

Regarding actual release content, most importantly, this release fixes the
security issue CVE-2024-28757 that can be used to cause denial of service
for code like…

    XML_Parser parser = XML_ParserCreate(NULL);
    XML_Parser ext_parser
      = XML_ExternalEntityParserCreate(parser, NULL, NULL);
    enum XML_Status status
      = XML_Parse(ext_parser, doc, (int)strlen(doc), XML_TRUE);

…where all input is sent to the external parser and none to the parent
regular parser.

The commit message of commit 1d50b80cf31de87750103656f6eb693746854aa8
explains the problem and solution in more detail.

There is also a bugfix to reject direct parameter entity recursion and to
avoid the related undefined behavior. The issue was uncovered by
ClusterFuzz/OSS-Fuzz after 20+ years of being unreported; that speaks
volumes for the value of fuzzing.

Further details on CVE-2024-28757 and its fix can be seen at:
  https://github.com/libexpat/libexpat/issues/839
  https://github.com/libexpat/libexpat/pull/842
  https://github.com/libexpat/libexpat/commit/1d50b80cf31de87750103656f6eb693746854aa8
  https://github.com/libexpat/libexpat/commit/072eca0b72373da103ce15f8f62d1d7b52695454

The blog also points to the call for help maintaining libexpat in the Changelog
at https://github.com/libexpat/libexpat/blob/R_2_6_2/expat/Changes which notes
that items that need someone to work on include:

!! - &lt;blink&gt;fixing a complex non-public security issue&lt;/blink&gt;,              !!

!! - teaming up on researching and fixing future security reports and        !!
!!   ClusterFuzz findings with few-days-max response times in communication  !!
!!   in order to (1) have a sound fix ready before the end of a 90 days      !!
!!   grace period and (2) in a sustainable manner,                           !!

--
        -Alan Coopersmith-                 alan.coopersmith () oracle com
         Oracle Solaris Engineering - https://blogs.oracle.com/solaris

<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->

<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->

By Date

By Thread

Current thread:

Expat 2.6.2 released, includes security fixes Alan Coopersmith (Mar 15)

<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started