Expat 2.4.3 has been announced on January 15, fixing security issues: https://blog.hartwork.org/posts/expat-2-4-3-released/ https://github.com/libexpat/libexpat/blob/R_2_4_3/expat/Changes Mageia 8 is also affected.
CC: (none) => mrambo, nicolas.salgueroStatus comment: (none) => Fixed upstream in 2.4.3Whiteboard: (none) => MGA8TOO
Suggested advisory: ======================== The updated packages fix security vulnerabilities: In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or more) places in the storeAtts function in xmlparse.c can lead to realloc misbehavior (e.g., allocating too few bytes, or only freeing memory). (CVE-2021-45960) In doProlog in xmlparse.c in Expat (aka libexpat) before 2.4.3, an integer overflow exists for m_groupSize. (CVE-2021-46143) addBinding in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. (CVE-2022-22822) build_model in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. (CVE-2022-22823) defineAttribute in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. (CVE-2022-22824) lookup in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. (CVE-2022-22825) nextScaffoldPart in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. (CVE-2022-22826) storeAtts in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. (CVE-2022-22827) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45960 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-46143 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22822 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22823 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22824 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22825 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22826 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22827 https://blog.hartwork.org/posts/expat-2-4-3-released/ https://github.com/libexpat/libexpat/blob/R_2_4_3/expat/Changes ======================== Updated packages in core/updates_testing: ======================== expat-2.2.10-1.1.mga8 lib(64)expat1-2.2.10-1.1.mga8 lib(64)expat-devel-2.2.10-1.1.mga8 from SRPM: expat-2.2.10-1.1.mga8.src.rpm
Assignee: bugsquad => qa-bugsStatus comment: Fixed upstream in 2.4.3 => (none)Version: Cauldron => 8Status: NEW => ASSIGNEDWhiteboard: MGA8TOO => (none)Source RPM: expat-2.4.2-1.mga9.src.rpm => expat-2.2.10-1.mga8.src.rpm
No installation issues in VirtualBox. Used the test procedure from https://wiki.mageia.org/en/QA_procedure:Expat despite knowing nothing about using python. The original script/code threw a syntax error. A little research showed it to be a difference between Python 2 and Python 3. After updating the code: $ python testexpat.py Tested OK Looks OK. Validating. Advisory in Comment 1.
Whiteboard: (none) => MGA8-64-OKCC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0031.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED