Errata ALT-PU-2023-4107-2: Information
Fixes
Published: Jan. 10, 2022
BDU:2022-00800
Уязвимость функции defineAttribute файла xmlparse.c библиотеки Expat, позволяющая нарушителю вызвать отказ в обслуживании
Severity: CRITICAL (9.8) Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Links:
Published: Jan. 10, 2022
BDU:2022-00805
Уязвимость функции lookupl файла xmlparse.c библиотеки Expat, связанная с целочисленным переполнением, позволяющая нарушителю вызвать отказ в обслуживании
Severity: HIGH (8.8) Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Links:
Published: Jan. 26, 2022
BDU:2022-00999
Уязвимость функции doProlog() библиотеки Expat, позволяющая нарушителю вызвать отказ в обслуживании
Severity: CRITICAL (9.8) Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Links:
Published: Dec. 30, 2021
BDU:2022-01003
Уязвимость функции storeAtts() библиотеки Expat, позволяющая нарушителю вызвать отказ в обслуживании
Severity: HIGH (8.8) Vector: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Links:
Published: Jan. 10, 2022
BDU:2022-01052
Уязвимость функции doProlog (xmlparse.c) библиотеки Expat, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации
Severity: HIGH (8.1) Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Links:
Published: Jan. 10, 2022
BDU:2022-01058
Уязвимость функции storeAtts (xmlparse.c) библиотеки Expat, связанная с целочисленным переполнением, позволяющая нарушителю выполнить произвольный код
Severity: HIGH (8.8) Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Links:
Published: Jan. 10, 2022
BDU:2022-01059
Уязвимость функции nextScaffoldPart (xmlparse.c) библиотеки Expat, связанная с целочисленным переполнением, позволяющая нарушителю выполнить произвольный код
Severity: HIGH (8.8) Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Links:
Published: Jan. 10, 2022
BDU:2022-01060
Уязвимость функции build_model (xmlparse.c) библиотеки Expat, связанная с целочисленным переполнением, позволяющая нарушителю выполнить произвольный код
Severity: CRITICAL (9.8) Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Links:
Published: Feb. 21, 2022
BDU:2022-01062
Уязвимость функции copyString библиотеки Expat, связанная с целочисленным переполнением, позволяющая нарушителю вызвать отказ в обслуживании
Severity: HIGH (7.5) Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Links:
Published: Feb. 21, 2022
BDU:2022-01063
Уязвимость компонента xmltok_impl.c библиотеки Expat, позволяющая нарушителю выполнить произвольный код
Severity: CRITICAL (9.8) Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Links:
Published: Feb. 21, 2022
BDU:2022-01064
Уязвимость функции build_model библиотеки Expat, связанная с переполнением буфера в стеке, позволяющая нарушителю выполнить произвольный код
Severity: CRITICAL (9.8) Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Links:
Published: Feb. 21, 2022
BDU:2022-01065
Уязвимость компонента xmlparse.c библиотеки Expat, позволяющая нарушителю вызвать отказ в обслуживании
Severity: MEDIUM (5.3) Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Links:
Published: Feb. 21, 2022
BDU:2022-01071
Уязвимость функции storeRawNames библиотеки Expat, позволяющая нарушителю вызвать отказ в обслуживании
Severity: HIGH (7.5) Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Links:
Published: Jan. 25, 2022
BDU:2022-01702
Уязвимость библиотеки синтаксического анализатора XML libexpat, связанная с целочисленным переполнением, позволяющая нарушителю выполнить произвольный код
Severity: CRITICAL (9.8) Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Links:
Published: Jan. 10, 2022
BDU:2022-02823
Уязвимость функции addBinding() библиотеки Expat, позволяющая нарушителю выполнить произвольный код
Severity: CRITICAL (9.8) Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Links:
Published: Sept. 14, 2022
BDU:2023-02596
Уязвимость функции doContent файла xmlparse.c библиотеки синтаксического анализатора XML libexpat, позволяющая нарушителю выполнить произвольный код
Severity: HIGH (8.1) Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Links:
Published: Oct. 24, 2022
BDU:2023-02688
Уязвимость функции XML_ExternalEntityParserCreate библиотеки синтаксического анализатора XML libexpat, позволяющая нарушителю вызвать отказ в обслуживании
Severity: HIGH (7.5) Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Links:
Published: Jan. 21, 2014
Modified: Nov. 7, 2023
Modified: Nov. 7, 2023
CVE-2013-0340
expat 2.1.0 and earlier does not properly handle entities expansion unless an application developer uses the XML_SetEntityDeclHandler function, which allows remote attackers to cause a denial of service (resource consumption), send HTTP requests to intranet servers, or read arbitrary files via a crafted XML document, aka an XML External Entity (XXE) issue. NOTE: it could be argued that because expat already provides the ability to disable external entity expansion, the responsibility for resolving this issue lies with application developers; according to this argument, this entry should be REJECTed, and each affected application would need its own CVE.
Severity: MEDIUM (6.8)
Links:
- [oss-security] 20130221 CVEs for libxml2 and expat internal and external XML entity expansion
- [oss-security] 20130413 Re-evaluating expat/libxml2 CVE assignments
- 90634
- 1028213
- 58233
- GLSA-201701-21
- https://support.apple.com/kb/HT212814
- https://support.apple.com/kb/HT212815
- https://support.apple.com/kb/HT212819
- https://support.apple.com/kb/HT212807
- https://support.apple.com/kb/HT212804
- https://support.apple.com/kb/HT212805
- 20210921 APPLE-SA-2021-09-20-7 Additional information for APPLE-SA-2021-09-13-3 macOS Big Sur 11.6
- 20210921 APPLE-SA-2021-09-20-6 Additional information for APPLE-SA-2021-09-13-1 iOS 14.8 and iPadOS 14.8
- 20210921 APPLE-SA-2021-09-20-3 tvOS 15
- 20210921 APPLE-SA-2021-09-20-2 watchOS 8
- 20210921 APPLE-SA-2021-09-20-1 iOS 15 and iPadOS 15
- 20210921 APPLE-SA-2021-09-20-8 Additional information for APPLE-SA-2021-09-13-4 Security Update 2021-005 Catalina
- [oss-security] 20211007 CVE-2021-40439: Apache OpenOffice: Billion Laughs
- 20211027 APPLE-SA-2021-10-26-9 Additional information for APPLE-SA-2021-09-20-1 iOS 15 and iPadOS 15
- 20211027 APPLE-SA-2021-10-26-11 Additional information for APPLE-SA-2021-09-20-3 tvOS 15
- 20211027 APPLE-SA-2021-10-26-10 Additional information for APPLE-SA-2021-09-20-2 watchOS 8
- https://lists.apache.org/thread.html/rfb2c193360436e230b85547e85a41bea0916916f96c501f5b6fc4702%40%3Cusers.openoffice.apache.org%3E
- https://lists.apache.org/thread.html/r41eca5f4f09e74436cbb05dec450fc2bef37b5d3e966aa7cc5fada6d%40%3Cannounce.apache.org%3E
Published: Jan. 1, 2022
Modified: Oct. 6, 2022
Modified: Oct. 6, 2022
CVE-2021-45960
In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or more) places in the storeAtts function in xmlparse.c can lead to realloc misbehavior (e.g., allocating too few bytes, or only freeing memory).
Severity: HIGH (8.8) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Links:
- https://github.com/libexpat/libexpat/issues/531
- https://github.com/libexpat/libexpat/pull/534
- https://bugzilla.mozilla.org/show_bug.cgi?id=1217609
- [oss-security] 20220117 Expat 2.4.3 released, includes 8 security fixes
- https://security.netapp.com/advisory/ntap-20220121-0004/
- https://www.tenable.com/security/tns-2022-05
- DSA-5073
- https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf
- GLSA-202209-24
Published: Jan. 6, 2022
Modified: Oct. 6, 2022
Modified: Oct. 6, 2022
CVE-2021-46143
In doProlog in xmlparse.c in Expat (aka libexpat) before 2.4.3, an integer overflow exists for m_groupSize.
Severity: HIGH (7.8) Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Links:
- https://github.com/libexpat/libexpat/issues/532
- https://github.com/libexpat/libexpat/pull/538
- [oss-security] 20220117 Expat 2.4.3 released, includes 8 security fixes
- https://security.netapp.com/advisory/ntap-20220121-0006/
- https://www.tenable.com/security/tns-2022-05
- DSA-5073
- https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf
- GLSA-202209-24
Published: Jan. 10, 2022
Modified: Oct. 6, 2022
Modified: Oct. 6, 2022
CVE-2022-22822
addBinding in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
Severity: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Links:
Published: Jan. 10, 2022
Modified: Oct. 6, 2022
Modified: Oct. 6, 2022
CVE-2022-22823
build_model in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
Severity: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Links:
Published: Jan. 10, 2022
Modified: Oct. 6, 2022
Modified: Oct. 6, 2022
CVE-2022-22824
defineAttribute in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
Severity: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Links:
Published: Jan. 10, 2022
Modified: Oct. 6, 2022
Modified: Oct. 6, 2022
CVE-2022-22825
lookup in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
Severity: HIGH (8.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Links:
Published: Jan. 10, 2022
Modified: Oct. 6, 2022
Modified: Oct. 6, 2022
CVE-2022-22826
nextScaffoldPart in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
Severity: HIGH (8.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Links:
Published: Jan. 10, 2022
Modified: Oct. 6, 2022
Modified: Oct. 6, 2022
CVE-2022-22827
storeAtts in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
Severity: HIGH (8.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Links:
Published: Jan. 24, 2022
Modified: Oct. 29, 2022
Modified: Oct. 29, 2022
CVE-2022-23852
Expat (aka libexpat) before 2.4.4 has a signed integer overflow in XML_GetBuffer, for configurations with a nonzero XML_CONTEXT_BYTES.
Severity: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Links:
- https://github.com/libexpat/libexpat/pull/550
- https://www.tenable.com/security/tns-2022-05
- DSA-5073
- https://security.netapp.com/advisory/ntap-20220217-0001/
- [debian-lts-announce] 20220307 [SECURITY] [DLA 2935-1] expat security update
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf
- GLSA-202209-24
Published: Jan. 26, 2022
Modified: Nov. 7, 2023
Modified: Nov. 7, 2023
CVE-2022-23990
Expat (aka libexpat) before 2.4.4 has an integer overflow in the doProlog function.
Severity: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Links:
Published: Feb. 16, 2022
Modified: Nov. 7, 2023
Modified: Nov. 7, 2023
CVE-2022-25235
xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of encoding, such as checks for whether a UTF-8 character is valid in a certain context.
Severity: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Links:
- https://github.com/libexpat/libexpat/pull/562
- [oss-security] 20220219 Expat 2.4.5 released, includes 5 security fixes
- DSA-5085
- https://security.netapp.com/advisory/ntap-20220303-0008/
- [debian-lts-announce] 20220307 [SECURITY] [DLA 2935-1] expat security update
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf
- GLSA-202209-24
- FEDORA-2022-04f206996b
- FEDORA-2022-3d9d67f558
Published: Feb. 16, 2022
Modified: Nov. 7, 2023
Modified: Nov. 7, 2023
CVE-2022-25236
xmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to insert namespace-separator characters into namespace URIs.
Severity: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Links:
- https://github.com/libexpat/libexpat/pull/561
- [oss-security] 20220219 Expat 2.4.5 released, includes 5 security fixes
- DSA-5085
- GLSA-202209-24
- https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf
- http://packetstormsecurity.com/files/167238/Zoom-XMPP-Stanza-Smuggling-Remote-Code-Execution.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- [debian-lts-announce] 20220307 [SECURITY] [DLA 2935-1] expat security update
- https://security.netapp.com/advisory/ntap-20220303-0008/
- FEDORA-2022-04f206996b
- FEDORA-2022-3d9d67f558
Published: Feb. 18, 2022
Modified: Nov. 7, 2023
Modified: Nov. 7, 2023
CVE-2022-25313
In Expat (aka libexpat) before 2.4.5, an attacker can trigger stack exhaustion in build_model via a large nesting depth in the DTD element.
Severity: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Links:
- https://github.com/libexpat/libexpat/pull/558
- [oss-security] 20220219 Expat 2.4.5 released, includes 5 security fixes
- DSA-5085
- https://security.netapp.com/advisory/ntap-20220303-0008/
- [debian-lts-announce] 20220307 [SECURITY] [DLA 2935-1] expat security update
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf
- GLSA-202209-24
- FEDORA-2022-04f206996b
- FEDORA-2022-3d9d67f558
Published: Feb. 18, 2022
Modified: Nov. 7, 2023
Modified: Nov. 7, 2023
CVE-2022-25314
In Expat (aka libexpat) before 2.4.5, there is an integer overflow in copyString.
Severity: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Links:
- https://github.com/libexpat/libexpat/pull/560
- [oss-security] 20220219 Expat 2.4.5 released, includes 5 security fixes
- DSA-5085
- https://security.netapp.com/advisory/ntap-20220303-0008/
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf
- GLSA-202209-24
- FEDORA-2022-04f206996b
- FEDORA-2022-3d9d67f558
Published: Feb. 18, 2022
Modified: Nov. 7, 2023
Modified: Nov. 7, 2023
CVE-2022-25315
In Expat (aka libexpat) before 2.4.5, there is an integer overflow in storeRawNames.
Severity: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Links:
- https://github.com/libexpat/libexpat/pull/559
- [oss-security] 20220219 Expat 2.4.5 released, includes 5 security fixes
- DSA-5085
- https://security.netapp.com/advisory/ntap-20220303-0008/
- [debian-lts-announce] 20220307 [SECURITY] [DLA 2935-1] expat security update
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf
- GLSA-202209-24
- FEDORA-2022-04f206996b
- FEDORA-2022-3d9d67f558
Published: Sept. 14, 2022
Modified: Nov. 7, 2023
Modified: Nov. 7, 2023
CVE-2022-40674
libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c.
Severity: HIGH (8.1) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Links:
- https://github.com/libexpat/libexpat/pull/629
- https://github.com/libexpat/libexpat/pull/640
- DSA-5236
- [debian-lts-announce] 20220925 [SECURITY] [DLA 3119-1] expat security update
- GLSA-202209-24
- https://security.netapp.com/advisory/ntap-20221028-0008/
- GLSA-202211-06
- FEDORA-2022-15ec504440
- FEDORA-2022-c68d90efc3
- FEDORA-2022-d93b3bd8b9
- FEDORA-2022-c22feb71ba
- FEDORA-2022-dcb1d7bcb1
Published: Oct. 24, 2022
Modified: Jan. 21, 2024
Modified: Jan. 21, 2024
CVE-2022-43680
In libexpat through 2.4.9, there is a use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate in out-of-memory situations.
Severity: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Links:
- https://github.com/libexpat/libexpat/pull/650
- https://github.com/libexpat/libexpat/pull/616
- https://github.com/libexpat/libexpat/issues/649
- [debian-lts-announce] 20221028 [SECURITY] [DLA 3165-1] expat security update
- DSA-5266
- GLSA-202210-38
- https://security.netapp.com/advisory/ntap-20221118-0007/
- FEDORA-2022-ae2559a8f4
- FEDORA-2022-3cf0e7ebc7
- FEDORA-2022-f3a939e960
- FEDORA-2022-5f1e2e9016
- FEDORA-2022-49db80f821
- FEDORA-2022-c43235716e
- [oss-security] 20231228 CVE-2022-43680: Apache OpenOffice: "Use after free" fixed in libexpat
- [oss-security] 20240103 CVE-2022-43680: Apache OpenOffice: "Use after free" fixed in libexpat