Suggested advisory:
========================

The updated packages fix security vulnerabilities:

An issue was discovered in libexpat before 2.6.3. xmlparse.c does not reject a negative length for XML_ParseBuffer. (CVE-2024-45490)

An issue was discovered in libexpat before 2.6.3. dtdCopy in xmlparse.c can have an integer overflow for nDefaultAtts on 32-bit platforms (where UINT_MAX equals SIZE_MAX). (CVE-2024-45491)

An issue was discovered in libexpat before 2.6.3. nextScaffoldPart in xmlparse.c can have an integer overflow for m_groupSize on 32-bit platforms (where UINT_MAX equals SIZE_MAX). (CVE-2024-45492)

References:
http://www.slackware.com/security/viewer.php?l=slackware-security&y=2024&m=slackware-security.351556
========================

Updated packages in core/updates_testing:
========================
expat-2.6.3-1.mga9
lib(64)expat1-2.6.3-1.mga9
lib(64)expat-devel-2.6.3-1.mga9

from SRPM:
expat-2.6.3-1.mga9.src.rpm

Status: NEW => ASSIGNED
Assignee: bugsquad => qa-bugs
Status comment: Fixed upstream in 2.6.3 => (none)

RH x86_64

Not sure why I have both expat libs but added in qarepo

LC_ALL=C urpmi --auto --auto-update
adding 3 new rpms not available in existing hdlist
replacing /var/cache/urpmi/partial/synthesis.hdlist.cz with synthesis.hdlist.cz.tmp
updating /var/cache/urpmi/partial/MD5SUM
updated medium "QA Testing (32-bit)"
medium "QA Testing (64-bit)" is up-to-date
medium "Core Release (distrib1)" is up-to-date
medium "Core Updates (distrib3)" is up-to-date
medium "Nonfree Release (distrib11)" is up-to-date
medium "Nonfree Updates (distrib13)" is up-to-date
medium "Tainted Release (distrib21)" is up-to-date
medium "Tainted Updates (distrib23)" is up-to-date
medium "Core 32bit Release (distrib31)" is up-to-date
medium "Core 32bit Updates (distrib32)" is up-to-date
medium "Nonfree 32bit Release (distrib36)" is up-to-date
medium "Tainted 32bit Release (distrib41)" is up-to-date
medium "Tainted 32bit Updates (distrib42)" is up-to-date

installing //home/katnatek/qa-testing/x86_64/lib64expat1-2.6.3-1.mga9.x86_64.rpm
//home/katnatek/qa-testing/x86_64/expat-2.6.3-1.mga9.x86_64.rpm
//home/katnatek/qa-testing/i586/libexpat1-2.6.3-1.mga9.i586.rpm
Preparing...                     ##################################################################################################
      1/3: lib64expat1           ##################################################################################################
      2/3: expat                 ##################################################################################################
      3/3: libexpat1             ##################################################################################################
      1/3: removing expat-2.6.2-1.mga9.x86_64
                                 ##################################################################################################
      2/3: removing libexpat1-2.6.2-1.mga9.i586
                                 ##################################################################################################
      3/3: removing lib64expat1-2.6.2-1.mga9.x86_64
                                 ##################################################################################################


Followed the procedure from the wiki, as was used in bug#31057 comment#2 (needed test files are attached to bug#31057)

python and python3 are python 3 now ;)

python
Python 3.10.11 (main, Mar 26 2024, 15:00:27) [GCC 12.3.0] on linux
Type "help", "copyright", "credits" or "license" for more information.


python3 testexpat.py 
Tested OK

xmlwf /etc/xml/catalog
xmlwf /etc/passwd
/etc/passwd:1:16: not well-formed (invalid token)

CC: (none) => andrewsfarm
Whiteboard: (none) => MGA9-64-OK

Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0294.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED