The common XML parser library Expat (libexpat) has been patched in opposition to five vulnerabilities.
The library options in open supply software package like Apache, Mozilla, Perl, PHP and Python, alongside with most Linux distributions.
The vulnerabilities expose XML processors on top of expat to at the very least two exploit vectors: arbitrary code execution, or denial-of-service.
As developer Sebastian Pipping wrote: “Please note that looking at a vulnerability in isolation may well skip part of the photo … if Expat passes malformed data to the application utilizing Expat and that application is just not well prepared for Expat violating their agreed API deal, you may perhaps end up with code execution from a thing that seemed close to harmless, in isolation.”
The bugs are fixed in launch 2.4.5.
Code execution exploits are acknowledged for two of the bugs:
- In CVE-2022-25235, an attacker can get Expat to go malformed 2- and 3-byte UTF-8 sequences up to the XML processor.
- In CVE-2022-25236, “passing (one or far more) namespace separator figures in “xmlns[:prefix]” attribute values produced Expat send out malformed tag names to the XML processor on best of Expat”.
CVE-2022-25313 is a stack exhaustion in Expat’s doctype parsing, while CVE-2022-25314 is an integer overflow in the copyString purpose. Both equally of these could crash the application on top rated of Expat.
Last but not least, CVE-2022-25315 is an integer overflow in the storeRawNames operate, only attackable on 64-bit machines using gigabyte-dimension inputs. An exploit is shown below.