Bug 30884 - expat new security issue CVE-2022-40674
Summary: expat new security issue CVE-2022-40674
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2022-09-23 18:06 CEST by David Walser
Modified: 2022-10-01 19:50 CEST (History)
5 users (show)

See Also:
Source RPM: expat-2.2.10-1.4.mga8.src.rpm
CVE: CVE-2022-40674
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2022-09-23 18:06:54 CEST 
Debian has issued an advisory on September 22:
https://www.debian.org/security/2022/dsa-5236

The issue is fixed upstream in 2.4.9.
David Walser 2022-09-23 18:07:14 CEST

Status comment: (none) => Fixed upstream in 2.4.9

Comment 1 Lewis Smith 2022-09-23 20:31:22 CEST 
Assigning to NicolasS because you have done CVE updates on this before.

Assignee: bugsquad => nicolas.salguero

Comment 2 Nicolas Salguero 2022-09-26 13:35:24 CEST 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c. (CVE-2022-40674)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40674
https://www.debian.org/security/2022/dsa-5236
========================

Updated packages in core/updates_testing:
========================
expat-2.2.10-1.5.mga8
lib(64)expat1-2.2.10-1.5.mga8
lib(64)expat-devel-2.2.10-1.5.mga8

from SRPM:
expat-2.2.10-1.5.mga8.src.rpm

Status: NEW => ASSIGNED
Assignee: nicolas.salguero => qa-bugs
CVE: (none) => CVE-2022-40674
CC: (none) => nicolas.salguero
Status comment: Fixed upstream in 2.4.9 => (none)

Comment 3 Herman Viaene 2022-09-26 16:28:36 CEST 
MGA8-64 MATE on Acer Aspire 5253
No installation issues
Downloaded testfiles from bug 30070 (copied from wiki) and run test.
$ python testexpat.py 
Tested OK
Good to go.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

Comment 4 Thomas Andrews 2022-09-28 04:55:17 CEST 
Validating. Advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2022-10-01 16:58:56 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 5 Mageia Robot 2022-10-01 19:50:05 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0352.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.