The common XML parser library Expat (libexpat) has been patched versus 5 vulnerabilities.
The library attributes in open up supply application like Apache, Mozilla, Perl, PHP and Python, together with most Linux distributions.
The vulnerabilities expose XML processors on prime of expat to at minimum two exploit vectors: arbitrary code execution, or denial-of-provider.
As developer Sebastian Pipping wrote: “Please be aware that seeking at a vulnerability in isolation may perhaps miss section of the picture … if Expat passes malformed data to the software working with Expat and that software isn’t really organized for Expat violating their agreed API agreement, you may perhaps finish up with code execution from a thing that appeared near to harmless, in isolation.”
The bugs are fixed in release 2.4.5.
Code execution exploits are recognised for two of the bugs:
- In CVE-2022-25235, an attacker can get Expat to go malformed 2- and 3-byte UTF-8 sequences up to the XML processor.
- In CVE-2022-25236, “passing (a person or far more) namespace separator characters in “xmlns[:prefix]” attribute values built Expat deliver malformed tag names to the XML processor on leading of Expat”.
CVE-2022-25313 is a stack exhaustion in Expat’s doctype parsing, though CVE-2022-25314 is an integer overflow in the copyString functionality. The two of these could crash the application on leading of Expat.
Ultimately, CVE-2022-25315 is an integer overflow in the storeRawNames functionality, only attackable on 64-little bit equipment making use of gigabyte-dimensions inputs. An exploit is shown right here.