StarlingX

[Debian] CVE: CVE-2022-43680: libexpat: XML_ExternalEntityParserCreate in out-of-memory

Bug #1997194 reported by Yue Tao
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
Medium
Yue Tao

Bug Description

CVE-2022-43680: [https://nvd.nist.gov/vuln/detail/CVE-2022-43680]
In libexpat through 2.4.9, there is a use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate in out-of-memory situations.

Score:
cve_id status cvss3Score av ac pr ui ai
CVE-2022-43680 fixed 7.5 N L N N H

References:
https://security-tracker.debian.org/tracker/CVE-2022-43680

['libexpat1_2.2.10-2+deb11u3_amd64.deb===>libexpat1_2.2.10-2+deb11u5_amd64.deb', 'libexpat1-dev_2.2.10-2+deb11u3_amd64.deb===>libexpat1-dev_2.2.10-2+deb11u5_amd64.deb']

Found during October 2022 CVE scan using vulscan

CVE References

Yue Tao (wrytao)
Changed in starlingx:
assignee: nobody → Yue Tao (wrytao)
importance: Undecided → Medium
status: New → Confirmed
tags: added: stx.security
tags: added: stx.8.0
Changed in starlingx:
status: Confirmed → Triaged
information type: Public → Public Security
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tools (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/tools/+/864822

Changed in starlingx:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tools (master)

Reviewed: https://review.opendev.org/c/starlingx/tools/+/864822
Committed: https://opendev.org/starlingx/tools/commit/d5b1c7f7fefc40179112d901f4aceb7822fd45eb
Submitter: "Zuul (22348)"
Branch: master

commit d5b1c7f7fefc40179112d901f4aceb7822fd45eb
Author: Wentao Zhang <email address hidden>
Date: Mon Nov 21 13:47:32 2022 +0800

    Debian:libexpat:fix CVE-2022-43680

    Upgrade libexpat1, libexpat1-dev to the
    version that CVE-2022-43680 have been fixed:

    libexpat1_2.2.10-2+deb11u3_amd64.deb to
    libexpat1_2.2.10-2+deb11u5_amd64.deb
    libexpat1-dev_2.2.10-2+deb11u3_amd64.deb to
    libexpat1-dev_2.2.10-2+deb11u5_amd64.deb

    (Refer to https://security-tracker.debian.org/tracker/CVE-2022-43680)

    This fix provides the URL of the package in base-bullseye.lst to
    make sure that the binary package can be downloaded no matter how
    the upstream changes.

    Test plan:
    PASS: build-pkgs --clean --all && build-image

    Closes-bug: 1997194
    Signed-off-by: Wentao Zhang<email address hidden>
    Change-Id: I29f6ba079bebd86dbf64b1317d4f289f2c1a82b9

Changed in starlingx:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.