CVE-2022-22827 storeAtts in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.

CVE-2022-22827 storeAtts in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.

There is a buffer overflow in the handling of DOLLARS characters in an entity, as demonstrated by an example in the advisory. An attacker could exploit this issue to cause a denial of service or possibly remote code execution. In case of a remote code execution an attacker would need to have the privileges to create XML documents. An attacker could exploit this issue by sending a specially crafted XML request to a user.

There are non-CVE-related issues in libexpat, too. For example, the parser in libexpat may cause a segmentation fault while parsing a signed integer, as demonstrated here: https://jira.sentry.io/browse/SENTRY-15940. The fix for this issue was backported to libexpat version 1. Expat is a library that is used by many applications to parse XML documents. It is used by applications such as Mozilla’s Firefox web browser and Google’s Chrome web browser.The libexpat version in Red Hat Enterprise Linux 6 is 1.5.3-15. libexpat in Red Hat Enterprise Linux 7 is 2.4.3-1. A patch for the CVE-2018-2615 issue in Red Hat Enterprise Linux is here: https://access.redhat.com/knowledge/docs/Red_Hat_Enterprise_Linux/7/html/Security_Updates_List/index.html . An updated libexpat package has been released

References:

"CVE-2022-22827 - libexpat: buffer overflow in the handling of DOLLARS characters in an entity" https://access.redhat.com/security/vulnerabilities/cve-2022-22827
"CVE-2018-2615 - Expat: parsing signed integer segmentation fault." https://access.redhat.com/security/vulnerabilities/cve-2018-2615
"SENTRY-15940 - libexpat CSRF vulnerability due to non CVE related issues in libexpat." https://jira.sentry.io/browse/SENTRY-15940

References https://access.redhat.com/knowledge/docs/Red_Hat_Enterprise_Linux/7/html/Security_Updates_List/index.html

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe