Expat library patched against code execution vulnerabilities

By

Parser can expose upstream software like Apache.

The popular XML parser library Expat (libexpat) has been patched against five vulnerabilities.

Expat library patched against code execution vulnerabilities

The library features in open source software like Apache, Mozilla, Perl, PHP and Python, along with most Linux distributions.

The vulnerabilities expose XML processors on top of expat to at least two exploit vectors: arbitrary code execution, or denial-of-service.

As developer Sebastian Pipping wrote: “Please note that looking at a vulnerability in isolation may miss part of the picture … if Expat passes malformed data to the application using Expat and that application isn't prepared for Expat violating their agreed API contract, you may end up with code execution from something that looked close to harmless, in isolation.”

The bugs are fixed in release 2.4.5.

Code execution exploits are known for two of the bugs:

  • In CVE-2022-25235, an attacker can get Expat to pass malformed 2- and 3-byte UTF-8 sequences up to the XML processor.
  • In CVE-2022-25236, “passing (one or more) namespace separator characters in "xmlns[:prefix]" attribute values made Expat send malformed tag names to the XML processor on top of Expat”.

CVE-2022-25313 is a stack exhaustion in Expat’s doctype parsing, while CVE-2022-25314 is an integer overflow in the copyString function. Both of these could crash the application on top of Expat.

Finally, CVE-2022-25315 is an integer overflow in the storeRawNames function, only attackable on 64-bit machines using gigabyte-size inputs. An exploit is demonstrated here.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:

Most Read Articles

Eagers Automotive finds unauthorised access to parts of IT systems

Eagers Automotive finds unauthorised access to parts of IT systems

Hackers hit Victoria's court recording database

Hackers hit Victoria's court recording database

St Vincent's Health Australia warns cyber attack forensics could "take some time"

St Vincent's Health Australia warns cyber attack forensics could "take some time"

Yakult Australia confirms cyber incident

Yakult Australia confirms cyber incident

Log In

  |  Forgot your password?