Univention Bugzilla – Bug 54480
expat: Multiple issues (5.0)
Last modified: 2022-02-23 16:29:36 CET
New Debian expat 2.2.6-2+deb10u3 fixes: This update addresses the following issues: * malformed 2- and 3-byte UTF-8 sequences can lead to arbitrary code execution (CVE-2022-25235) * namespace-separator characters in "xmlns[:prefix]" attribute values can lead to arbitrary code execution (CVE-2022-25236) * stack exhaustion in doctype parsing (CVE-2022-25313) * integer overflow in copyString() (CVE-2022-25314) * integer overflow in storeRawNames() (CVE-2022-25315)
--- mirror/ftp/pool/main/e/expat/expat_2.2.6-2+deb10u2.dsc +++ apt/ucs_5.0-0-errata5.0-1/source/expat_2.2.6-2+deb10u3.dsc @@ -1,3 +1,20 @@ +2.2.6-2+deb10u3 [Sun, 20 Feb 2022 17:19:40 +0100] Salvatore Bonaccorso <carnil@debian.org>: + + * Non-maintainer upload by the Security Team. + * Prevent stack exhaustion in build_model (CVE-2022-25313) + * Prevent integer overflow in storeRawNames (CVE-2022-25315) + * Prevent integer overflow in copyString (CVE-2022-25314) + * lib: Fix (harmless) use of uninitialized memory + * lib: Protect against malicious namespace declarations (CVE-2022-25236) + (Closes: #1005895) + * tests: Cover CVE-2022-25236 + * lib: Drop unused macro UTF8_GET_NAMING + * lib: Add missing validation of encoding (CVE-2022-25235) + (Closes: #1005894) + * tests: Cover missing validation of encoding (CVE-2022-25235) + * Fix build_model regression. + * tests: Protect against nested element declaration model regressions + 2.2.6-2+deb10u2 [Wed, 09 Feb 2022 15:18:06 +0100] Salvatore Bonaccorso <carnil@debian.org>: * Non-maintainer upload by the Security Team. <http://piuparts.knut.univention.de/5.0-1/#1674530331999706441>
OK: yaml OK: announce_errata OK: patch OK: piuparts [5.0-1] 419323993c Bug #54480: expat 2.2.6-2+deb10u3 doc/errata/staging/expat.yaml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) [5.0-1] e83a141b1c Bug #54480: expat 2.2.6-2+deb10u3 doc/errata/staging/expat.yaml | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+)
<https://errata.software-univention.de/#/?erratum=5.0x226>