Alerts This Week
Warning Icon 1 540
Alerts This Week
Warning Icon 1 540

Fedora 35: FEDORA-2022-3d9d67f558 Critical: Expat XML Parser Issues

fedora
Calendar Grey March 1, 2022
Dist Fedora Esm H88
Explore the Fedora 35 mingw-expat 2.4.6 release, addressing critical vulnerabilities like stack exhaustion and integer overflow issues to enhance software security and stability
Update to expat-2.4.6, see https://github.com/libexpat/libexpat/blob/R_2_4_6/expat/Changes for details.

Summary

This is expat, the C library for parsing XML, written by James Clark. Expat

is a stream oriented XML parser. This means that you register handlers with

the parser prior to starting the parse. These handlers are called when the

parser discovers the associated structures in the document being parsed. A

start tag is an example of the kind of structures for which you may

register handlers.

Update to expat-2.4.6, see

https://github.com/libexpat/libexpat/blob/R_2_4_6/expat/Changes for details.

* Mon Feb 21 2022 Sandro Mani - 2.4.6-1

- Update to 2.4.6

[ 1 ] Bug #2056352 - CVE-2022-25313 mingw-expat: expat: stack exhaustion in doctype parsing [fedora-all]

https://bugzilla.redhat.com/show_bug.cgi?id=2056352

[ 2 ] Bug #2056355 - CVE-2022-25314 mingw-expat: expat: integer overflow in copyString() [fedora-all]

https://bugzilla.redhat.com/show_bug.cgi?id=2056355

[ 3 ] Bug #2056365 - CVE-2022-25315 mingw-expat: expat: integer overflow in storeRawNames() [fedora-all]

https://bugzilla.redhat.com/show_bug.cgi?id=2056365

[ 4 ] Bug #2056368 - CVE-2022-25235 mingw-expat: expat: malformed 2- and 3-byte UTF-8 sequences can lead to arbitrary code execution [fedora-all]

https://bugzilla.redhat.com/show_bug.cgi?id=2056368

[ 5 ] Bug #2056372 - CVE-2022-25236 mingw-expat: expat: namespace-separator characters in "xmlns[:prefix]" attribute values can lead to arbitrary code execution [fedora-all]

https://bugzilla.redhat.com/show_bug.cgi?id=2056372

su -c 'dnf upgrade --advisory FEDORA-2022-3d9d67f558' at the command

line. For more information, refer to the dnf documentation available at

https://dnf.readthedocs.io/en/latest/command_ref.html

All packages are signed with the Fedora Project GPG key. More details on the

GPG keys used by the Fedora Project can be found at

https://fedoraproject.org/security/

package-announce mailing list -- package-announce@lists.fedoraproject.org

To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org

Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/

List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines

List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/

Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

Topics%20covered

Topics Covered

security advisory fedora critical arbitrary code execution integer overflow expat stack exhaustion

Change Log

References

Update Instructions

Severity
critical
Lowest
Low
Medium
High
Critical

Product: Fedora 35
Version: 2.4.6
Release: 1.fc35
URL: https://libexpat.github.io/
Summary: MinGW Windows port of expat XML parser library

Topics%20covered

Topics Covered

security advisory fedora critical arbitrary code execution integer overflow expat stack exhaustion

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Related News

Your message here