system/expat: CVE-2022-40674: libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c.
Found on new x86_64 dev builder VM when upstream source tarball URL 404'd:
>>> expat: Building system/expat 2.4.8-r0 (using abuild 3.4.2-r0) started Tue, 27 Sep 2022 23:48:11 +0000
>>> expat: Checking sanity of /root/packages/system/expat/APKBUILD...
>>> expat: Analyzing dependencies...
>>> expat: Entering /root/packages/system/bash
(1/1) Installing .makedepends-expat (20220927.234812)
OK: 434 MiB in 94 packages
>>> expat: Cleaning temporary build dirs...
>>> expat: Fetching https://downloads.sourceforge.net/project/expat/expat/2.4.8/expat-2.4.8.tar.bz2
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
^M 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0^M 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
curl: (22) The requested URL returned error: 404 Not Found
>>> ERROR: expat: fetch failed
Rhodri James discovered a heap use-after-free vulnerability in the doContent function in Expat, an XML parsing C library, which could result in denial of service or potentially the execution of arbitrary code, if a malformed XML file is processed.
It is possible to concoct a situation in which parsing is
suspended while substituting in an internal entity, so that
XML_ResumeParser directly uses internalEntityProcessor as
its processor. If the subsequent parse includes some unclosed
tags, this will return without calling storeRawNames to ensure
that the raw versions of the tag names are stored in memory other
than the parse buffer itself. If the parse buffer is then changed
or reallocated (for example if processing a file line by line),
badness will ensue.
This patch ensures storeRawNames is always called when needed
after calling doContent. The earlier call do doContent does
not need the same protection; it only deals with entity
substitution, which cannot leave unbalanced tags, and in any
case the raw names will be pointing into the stored entity
value not the parse buffer.
Hyperlink | Resource |
---|---|
https://github.com/libexpat/libexpat/pull/629 | Issue Tracking Patch Third Party Advisory |
https://github.com/libexpat/libexpat/pull/640 | Issue Tracking Patch Third Party Advisory |
https://lists.debian.org/debian-lts-announce/2022/09/msg00029.html | |
https://www.debian.org/security/2022/dsa-5236 |