|
Message-ID: <397f9357-0f60-45d2-b150-573028178755@oracle.com> Date: Fri, 15 Mar 2024 09:57:05 -0700 From: Alan Coopersmith <alan.coopersmith@...cle.com> To: oss-security@...ts.openwall.com Subject: Expat 2.6.2 released, includes security fixes https://blog.hartwork.org/posts/expat-2-6-2-released/ (published 2024-03-13) announces the release of Expat 2.6.2, with security fixes: > Regarding actual release content, most importantly, this release fixes the > security issue CVE-2024-28757 that can be used to cause denial of service > for code like… > > XML_Parser parser = XML_ParserCreate(NULL); > XML_Parser ext_parser > = XML_ExternalEntityParserCreate(parser, NULL, NULL); > enum XML_Status status > = XML_Parse(ext_parser, doc, (int)strlen(doc), XML_TRUE); > > …where all input is sent to the external parser and none to the parent > regular parser. > > The commit message of commit 1d50b80cf31de87750103656f6eb693746854aa8 > explains the problem and solution in more detail. > > There is also a bugfix to reject direct parameter entity recursion and to > avoid the related undefined behavior. The issue was uncovered by > ClusterFuzz/OSS-Fuzz after 20+ years of being unreported; that speaks > volumes for the value of fuzzing. Further details on CVE-2024-28757 and its fix can be seen at: https://github.com/libexpat/libexpat/issues/839 https://github.com/libexpat/libexpat/pull/842 https://github.com/libexpat/libexpat/commit/1d50b80cf31de87750103656f6eb693746854aa8 https://github.com/libexpat/libexpat/commit/072eca0b72373da103ce15f8f62d1d7b52695454 The blog also points to the call for help maintaining libexpat in the Changelog at https://github.com/libexpat/libexpat/blob/R_2_6_2/expat/Changes which notes that items that need someone to work on include: !! - <blink>fixing a complex non-public security issue</blink>, !! !! - teaming up on researching and fixing future security reports and !! !! ClusterFuzz findings with few-days-max response times in communication !! !! in order to (1) have a sound fix ready before the end of a 90 days !! !! grace period and (2) in a sustainable manner, !! -- -Alan Coopersmith- alan.coopersmith@...cle.com Oracle Solaris Engineering - https://blogs.oracle.com/solaris
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.