CVE-2022-22825 lookup in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.

CVE-2022-22825 lookup in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.

This could result in denial of service or potentially remote execution of code if a user visits a malicious site. Expat is an XML parsing library used by many packages. In order to update the aging expat, Debian decided to backport the fix to a version in Wheezy that was released before Debian 7.0 (codename “xanadu”). Unfortunately, this update broke a lot of other packages that depended on expat. This was not Debian’s intention, but it did make things more difficult. After investigating what went wrong, the Debian team realized that they might be able to fix the problem by updating expat again. However, this time they would make sure that the fix wouldn’t break any other packages. To do this, the Debian team decided to backport the fix to an older version that was in Wheezy before the 7.0 release. In order to update the expat version in Wheezy to handle the fix, Debian had to backport the fix to an older version of expat that was in Wheezy before the 7.0 release.

The Debian Backports Team

First, the backports team created a new version of expat in Wheezy that would work with the fix. This new version of expat was then used to update packages that were affected by the original CVE-2022-22825. After updating all of these packages, no other packages were affected by the change.
What does this mean for Debian users?
The update to wheezy allows expat to be fixed without breaking any other packages. This lets users get security updates as soon as possible when they are released and allows them to continue using their favorite programs and libraries while they are being updated.

What's backporting?

Backporting is the process of making a new release from an older version in order to fix a bug or update a library. For example, if you wanted to backport the expat fix to a version in Wheezy before the 7.0 release, you would need to make that change in a version of expat that was first released in Wheezy before the 7.0 release.

Why Should You Care?

If you are a developer, you should care about this because it’s a common problem for developers and one that can be easily avoided. Debian is the most stable Linux distribution, so if you depend on any Debian packages, you should upgrade your system to Wheezy with the expat-2.0.1-4.deb package included in the security update.
This creates a new CVE number, which I will use for now. It seems like this issue could happen in other distributions by accident as well and this might help prevent it from happening in other distributions.
A lot of software packages have an aging version of expat that needs to be updated, but doing so breaks other packages that depend on expat. Debian decided to update expat again after investigating what went wrong with their first attempt at fixing the problem by updating expat to an older version that was released before 7.0 (codename “xanadu”). To do this, they had to backport their fix to an older version of expat that was released before the 7.0 release (codename “jessie”).

Debian 8.0 – Bionic Wheezy Backports

The Debian 8.0 release is coming soon, but Debian also released 8.0-testing to give users an opportunity to test packages that will be included in the final release. The testing release includes a backport of this security fix for CVE-2022-22825.
This change was made by the expat maintainer and the upstream author (the person who wrote the code which was updated). However, as a result of changes in the Git repository, expat got broken by this update, so it had to be fixed again with backports.

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe