Bug#1002994: expat: CVE-2021-45960: A large number of prefixed XML attributes on a single tag can crash libexpat (troublesome left shifts by >=29 bits in function storeAtts)
Hi Laszlo, Thank you so much! Regards, Carlos Rodriguez-Fernandez Principal Software Engineer www.healthtrio.com > On Mar 8, 2022, at 9:37 AM, László Böszörményi (GCS) wrote: > > Hi Carlos, > > On Tue, Mar 8, 2022 at 4:51 PM Carlos Rodriguez > wrote: >> I see that the commit >> https://github.com/libexpat/libexpat/commit/0adcb34c49bee5b19bd29b16a578c510c23597ea >> is present in the branches corresponding to the expat version >=2.4.3. At >> the same time, I see that Debian reported the issue fixed in >> https://security-tracker.debian.org/tracker/CVE-2021-45960, in the versions >> 2.2.0-2+deb9u5, 2.2.6-2+deb10u3 and 2.2.10-2+deb11u2. >> >> I’m having a hard time seeing how the fix was ported to earlier versions of >> expat. Could you please point me to where those fixes were ported? > You can also check who did the actual update. For 2.2.10-2+deb11u2. > [1] it's Salvatore Bonaccorso and for 2.2.6-2+deb10u3 [2] it's him > again. But I can answer your question as well. You can get the > corresponding debian files, expat_2.2.10-2+deb11u2.debian.tar.xz [3] > and expat_2.2.6-2+deb10u3.debian.tar.xz [4]. > For example, if you download the former, under debian/patches/ you > will find the backported patches. File naming follows the commit > messages. That is, for this commit it's the > lib-Detect-and-prevent-troublesome-left-shifts-in-fu.patch file. > > Regards, > Laszlo/GCS > [1] > https://tracker.debian.org/news/1306825/accepted-expat-2210-2deb11u2-source-into-proposed-updates-stable-new-proposed-updates/ > [2] > https://tracker.debian.org/news/1306839/accepted-expat-226-2deb10u3-source-into-oldstable-proposed-updates-oldstable-new-oldstable-proposed-updates/ > [3] http://snapshot.debian.org/package/expat/2.2.10-2%2Bdeb11u2/ > [4] http://snapshot.debian.org/package/expat/2.2.6-2%2Bdeb10u3/
Bug#1002994: expat: CVE-2021-45960: A large number of prefixed XML attributes on a single tag can crash libexpat (troublesome left shifts by >=29 bits in function storeAtts)
Hi Carlos, On Tue, Mar 8, 2022 at 4:51 PM Carlos Rodriguez wrote: > I see that the commit > https://github.com/libexpat/libexpat/commit/0adcb34c49bee5b19bd29b16a578c510c23597ea > is present in the branches corresponding to the expat version >=2.4.3. At > the same time, I see that Debian reported the issue fixed in > https://security-tracker.debian.org/tracker/CVE-2021-45960, in the versions > 2.2.0-2+deb9u5, 2.2.6-2+deb10u3 and 2.2.10-2+deb11u2. > > I’m having a hard time seeing how the fix was ported to earlier versions of > expat. Could you please point me to where those fixes were ported? You can also check who did the actual update. For 2.2.10-2+deb11u2. [1] it's Salvatore Bonaccorso and for 2.2.6-2+deb10u3 [2] it's him again. But I can answer your question as well. You can get the corresponding debian files, expat_2.2.10-2+deb11u2.debian.tar.xz [3] and expat_2.2.6-2+deb10u3.debian.tar.xz [4]. For example, if you download the former, under debian/patches/ you will find the backported patches. File naming follows the commit messages. That is, for this commit it's the lib-Detect-and-prevent-troublesome-left-shifts-in-fu.patch file. Regards, Laszlo/GCS [1] https://tracker.debian.org/news/1306825/accepted-expat-2210-2deb11u2-source-into-proposed-updates-stable-new-proposed-updates/ [2] https://tracker.debian.org/news/1306839/accepted-expat-226-2deb10u3-source-into-oldstable-proposed-updates-oldstable-new-oldstable-proposed-updates/ [3] http://snapshot.debian.org/package/expat/2.2.10-2%2Bdeb11u2/ [4] http://snapshot.debian.org/package/expat/2.2.6-2%2Bdeb10u3/
Bug#1002994: expat: CVE-2021-45960: A large number of prefixed XML attributes on a single tag can crash libexpat (troublesome left shifts by >=29 bits in function storeAtts)
Hello Laszlo, I see that the commit https://github.com/libexpat/libexpat/commit/0adcb34c49bee5b19bd29b16a578c510c23597ea is present in the branches corresponding to the expat version >=2.4.3. At the same time, I see that Debian reported the issue fixed in https://security-tracker.debian.org/tracker/CVE-2021-45960, in the versions 2.2.0-2+deb9u5, 2.2.6-2+deb10u3 and 2.2.10-2+deb11u2. I’m having a hard time seeing how the fix was ported to earlier versions of expat. Could you please point me to where those fixes were ported? Thank you, Carlos Rodriguez-Fernandez Principal Software Engineer www.healthtrio.com
Bug#1002994: expat: CVE-2021-45960: A large number of prefixed XML attributes on a single tag can crash libexpat (troublesome left shifts by >=29 bits in function storeAtts)
Source: expat Version: 2.4.2-1 Severity: important Tags: security upstream Forwarded: https://github.com/libexpat/libexpat/issues/531 X-Debbugs-Cc: car...@debian.org, Debian Security Team Control: found -1 2.2.10-2 Control: found -1 2.2.6-2+deb10u1 Control: found -1 2.2.6-2 Hi, The following vulnerability was published for expat. CVE-2021-45960[0]: | In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or more) | places in the storeAtts function in xmlparse.c can lead to realloc | misbehavior (e.g., allocating too few bytes, or only freeing memory). If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-45960 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45960 [1] https://github.com/libexpat/libexpat/issues/531 Regards, Salvatore
