Bug 29902

Summary: expat new security issues CVE-2021-45960, CVE-2021-46143, CVE-2022-2282[2-7]
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, davidwhodgins, mhrambo3501, nicolas.salguero, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: expat-2.2.10-1.mga8.src.rpm CVE:
Status comment:

Description David Walser 2022-01-18 16:04:18 CET 
Expat 2.4.3 has been announced on January 15, fixing security issues:
https://blog.hartwork.org/posts/expat-2-4-3-released/
https://github.com/libexpat/libexpat/blob/R_2_4_3/expat/Changes

Mageia 8 is also affected.
David Walser 2022-01-18 16:04:35 CET

CC: (none) => mrambo, nicolas.salguero
Status comment: (none) => Fixed upstream in 2.4.3
Whiteboard: (none) => MGA8TOO

Comment 1 Nicolas Salguero 2022-01-18 16:35:55 CET 
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or more) places in the storeAtts function in xmlparse.c can lead to realloc misbehavior (e.g., allocating too few bytes, or only freeing memory). (CVE-2021-45960)

In doProlog in xmlparse.c in Expat (aka libexpat) before 2.4.3, an integer overflow exists for m_groupSize. (CVE-2021-46143)

addBinding in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. (CVE-2022-22822)

build_model in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. (CVE-2022-22823)

defineAttribute in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. (CVE-2022-22824)

lookup in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. (CVE-2022-22825)

nextScaffoldPart in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. (CVE-2022-22826)

storeAtts in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. (CVE-2022-22827)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45960
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-46143
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22822
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22823
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22824
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22825
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22826
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22827
https://blog.hartwork.org/posts/expat-2-4-3-released/
https://github.com/libexpat/libexpat/blob/R_2_4_3/expat/Changes
========================

Updated packages in core/updates_testing:
========================
expat-2.2.10-1.1.mga8
lib(64)expat1-2.2.10-1.1.mga8
lib(64)expat-devel-2.2.10-1.1.mga8

from SRPM:
expat-2.2.10-1.1.mga8.src.rpm

Assignee: bugsquad => qa-bugs
Status comment: Fixed upstream in 2.4.3 => (none)
Version: Cauldron => 8
Status: NEW => ASSIGNED
Whiteboard: MGA8TOO => (none)
Source RPM: expat-2.4.2-1.mga9.src.rpm => expat-2.2.10-1.mga8.src.rpm

Comment 2 Thomas Andrews 2022-01-21 00:56:34 CET 
No installation issues in VirtualBox.

Used the test procedure from https://wiki.mageia.org/en/QA_procedure:Expat despite knowing nothing about using python. 

The original script/code threw a syntax error. A little research showed it to be a difference between Python 2 and Python 3. After updating the code:

$ python testexpat.py
Tested OK
 
Looks OK. Validating. Advisory in Comment 1.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2022-01-24 23:13:40 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 3 Mageia Robot 2022-01-25 13:14:26 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0031.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED