Bug 31057

Summary: expat new security issue CVE-2022-43680
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, davidwhodgins, herman.viaene, nicolas.salguero, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: expat-2.2.10-1.5.mga8.src.rpm CVE: CVE-2022-43680
Status comment:
Attachments: python script
testdata

Description David Walser 2022-10-31 15:11:35 CET 
Debian has issued an advisory on October 30:
https://www.debian.org/security/2022/dsa-5266

The issue is fixed upstream in 2.5.0.

We may have to patch Firefox and Thunderbird too (can wait until next update).

Mageia 8 is also affected.
David Walser 2022-10-31 15:50:59 CET

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Fixed upstream in 2.5.0
Assignee: bugsquad => nicolas.salguero

Comment 1 Nicolas Salguero 2022-11-02 15:02:46 CET 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

In libexpat through 2.4.9, there is a use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate in out-of-memory situations. (CVE-2022-43680)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43680
https://www.debian.org/security/2022/dsa-5266
========================

Updated packages in core/updates_testing:
========================
expat-2.2.10-1.6.mga8
lib(64)expat1-2.2.10-1.6.mga8
lib(64)expat-devel-2.2.10-1.6.mga8

from SRPM:
expat-2.2.10-1.6.mga8.src.rpm

Status comment: Fixed upstream in 2.5.0 => (none)
Status: NEW => ASSIGNED
Whiteboard: MGA8TOO => (none)
CC: (none) => nicolas.salguero
CVE: (none) => CVE-2022-43680
Assignee: nicolas.salguero => qa-bugs
Version: Cauldron => 8
Source RPM: expat-2.4.9-1.mga9.src.rpm => expat-2.2.10-1.5.mga8.src.rpm

Comment 2 Herman Viaene 2022-11-03 11:16:22 CET 
MGA8-64 MATE on Acer Aspire 5253
No installation issues.
Followed wiki-procedure (I will upload the files used)
$ cd Documents/expat/
$ ls
testdata.xml  testexpat.py
$ python testexpat.py
Tested OK
and to be sure
$ python3 testexpat.py
Tested OK
And as in the wiki
$ xmlwf /etc/xml/catalog
$ xmlwf /etc/passwd
/etc/passwd:1:16: not well-formed (invalid token)
Looks good to me.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA8-64-OK

Comment 3 Herman Viaene 2022-11-03 11:17:07 CET 
Created attachment 13471 [details]
python script
Comment 4 Herman Viaene 2022-11-03 11:17:40 CET 
Created attachment 13472 [details]
testdata
Comment 5 Thomas Andrews 2022-11-03 12:45:36 CET 
Validating. Advisory in Comment 2.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2022-11-04 16:50:59 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 6 Mageia Robot 2022-11-04 22:17:20 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0409.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED