Bug 29985

Summary: expat new security issues CVE-2022-23852 and CVE-2022-23990
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: andrewsfarm, davidwhodgins, nicolas.salguero, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: expat-2.2.10-1.1.mga8.src.rpm CVE: CVE-2022-23852, CVE-2022-23990
Status comment:

Description David Walser 2022-02-01 17:59:22 CET 
Debian-LTS has issued an advisory on January 30:
https://www.debian.org/lts/security/2022/dla-2904

The issues are fixed upstream in 2.4.4.

Mageia 8 is also affected.
David Walser 2022-02-01 17:59:38 CET

Status comment: (none) => Fixed upstream in 2.4.4
Whiteboard: (none) => MGA8TOO
CC: (none) => nicolas.salguero

Comment 1 Lewis Smith 2022-02-01 20:15:23 CET 
'expat' is committed by different people, so assigning this update globally.

Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2022-02-02 10:44:11 CET 
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

Expat (aka libexpat) before 2.4.4 has a signed integer overflow in XML_GetBuffer, for configurations with a nonzero XML_CONTEXT_BYTES. (CVE-2022-23852)

Expat (aka libexpat) before 2.4.4 has an integer overflow in the doProlog function. (CVE-2022-23990)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23852
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23990
https://www.debian.org/lts/security/2022/dla-2904
========================

Updated packages in core/updates_testing:
========================
expat-2.2.10-1.2.mga8
lib(64)expat1-2.2.10-1.2.mga8
lib(64)expat-devel-2.2.10-1.2.mga8

from SRPM:
expat-2.2.10-1.2.mga8.src.rpm

Version: Cauldron => 8
Assignee: pkg-bugs => qa-bugs
Whiteboard: MGA8TOO => (none)
Source RPM: expat-2.4.3-1.mga9.src.rpm => expat-2.2.10-1.1.mga8.src.rpm
Status comment: Fixed upstream in 2.4.4 => (none)
Status: NEW => ASSIGNED
CVE: (none) => CVE-2022-23852, CVE-2022-23990

Comment 3 Thomas Andrews 2022-02-02 21:52:18 CET 
Updated all three packages in VirtualBox, with no installation issues.

Consulted with https://wiki.mageia.org/en/QA_procedure:Expat for testing procedure:

$ python testexpat.py
Tested OK

$ xmlwf /etc/xml/catalog
$ xmlwf /etc/passwd
/etc/passwd:1:16: not well-formed (invalid token)

It passes the test. Giving it the OK and validating. Advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs
Whiteboard: (none) => MGA8-64-OK

Dave Hodgins 2022-02-03 20:43:04 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 4 Mageia Robot 2022-02-03 21:30:45 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0048.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED