StarlingX

CVE-2021-45960 / CVE-2022-22822 / CVE-2022-22823 / CVE-2022-22824 / CVE-2022-23852 / CVE-2022-25235 / CVE-2022-25236 / CVE-2022-25315: expat multiple CVEs

Bug #1969362 reported by Ghada Khalil
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
Medium
Joe Slater

Bug Description

This LP tracks the following expat related CVEs:

CVE-2021-45960: https://nvd.nist.gov/vuln/detail/CVE-2021-45960
In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or more) places in the storeAtts function in xmlparse.c can lead to realloc misbehavior (e.g., allocating too few bytes, or only freeing memory).

CVE-2022-22822: https://nvd.nist.gov/vuln/detail/CVE-2022-22822
addBinding in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.

CVE-2022-22823: https://nvd.nist.gov/vuln/detail/CVE-2022-22823
build_model in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.

CVE-2022-22824: https://nvd.nist.gov/vuln/detail/CVE-2022-22824
defineAttribute in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.

CVE-2022-23852: https://nvd.nist.gov/vuln/detail/CVE-2022-23852
Expat (aka libexpat) before 2.4.4 has a signed integer overflow in XML_GetBuffer, for configurations with a nonzero XML_CONTEXT_BYTES.

CVE-2022-25235: https://nvd.nist.gov/vuln/detail/CVE-2022-25235
xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of encoding, such as checks for whether a UTF-8 character is valid in a certain context.

CVE-2022-25236: https://nvd.nist.gov/vuln/detail/CVE-2022-25236
xmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to insert namespace-separator characters into namespace URIs.

CVE-2022-25315: https://nvd.nist.gov/vuln/detail/CVE-2022-25315
In Expat (aka libexpat) before 2.4.5, there is an integer overflow in storeRawNames.

Score:
cve_id status cvss2Score av ac au ai
CVE-2021-45960 fixed 9 N L S C
CVE-2022-22822 fixed 7.5 N L N P
CVE-2022-22823 fixed 7.5 N L N P
CVE-2022-22824 fixed 7.5 N L N P
CVE-2022-23852 fixed 7.5 N L N P
CVE-2022-25235 fixed 7.5 N L N P
CVE-2022-25236 fixed 7.5 N L N P
CVE-2022-25315 fixed 7.5 N L N P

References:
https://access.redhat.com/security/cve/cve-2021-45960
https://bugzilla.redhat.com/show_bug.cgi?id=2044451
https://access.redhat.com/errata/RHSA-2022:1069
https://lists.centos.org/pipermail/centos-announce/2022-March/073580.html

Found during April 2022 CVE scan using vulscan

See original description
Revision history for this message
Ghada Khalil (gkhalil) wrote :

Screening: Marking as medium priority as this CVE meets the StarlingX fix criteria. Should be fixed in stx master and considered for cherry-pick to stx.6.0 if a maintenance release is planned

description: updated
tags: added: stx.6.0 stx.7.0 stx.security
Changed in starlingx:
importance: Undecided → Medium
status: New → Triaged
assignee: nobody → Yue Tao (wrytao)
information type: Public → Public Security
Yue Tao (wrytao)
Changed in starlingx:
assignee: Yue Tao (wrytao) → Joe Slater (jslater0wind)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tools (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/tools/+/839267

Changed in starlingx:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tools (master)

Reviewed: https://review.opendev.org/c/starlingx/tools/+/839267
Committed: https://opendev.org/starlingx/tools/commit/db943d695fad7be038cd95100728c73194bf1386
Submitter: "Zuul (22348)"
Branch: master

commit db943d695fad7be038cd95100728c73194bf1386
Author: Joe Slater <email address hidden>
Date: Mon Apr 25 14:38:32 2022 -0400

    expat: fix several CVEs

    CVE-2021-45960
    CVE-2022-22822
    CVE-2022-22823
    CVE-2022-22824
    CVE-2022-23852
    CVE-2022-25235
    CVE-2022-25236
    CVE-2022-25315

    Advance to expat-2.1.0-14.el7_9.

    === Testing ===
    build-iso; install; boot

     # run test to see if an xml file is well-formed
     $ xmlwf -c -d /tmp /etc/firewalld/zones/public.xml
     $ cat /tmp/public.xml # should look like an xml file
    ===

    Closes-bug: 1969362
    Change-Id: I78f1abc4253d0016fed6845202e00cab91e9ed11
    Signed-off-by: Joe Slater <email address hidden>

Changed in starlingx:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.