Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 555
Alerts This Week
Warning Icon 1 555

Ubuntu 22.04 LTS USN-5638-2 Critical: Expat Crash Risk and Code Execution

ubuntu
Calendar Grey November 17, 2022
Dist Ubuntu Esm H88
Urgent alert regarding Expat weaknesses impacting several Ubuntu LTS versions that may lead to system failure or arbitrary code execution.
Expat could be made to crash or execute arbitrary code.

Summary

Expat could be made to crash or execute arbitrary code.

Software Description:

- expat: XML parsing C library

Details:

USN-5638-1 fixed a vulnerability in Expat. This update provides

the corresponding updates for Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and

Ubuntu 22.04 LTS.

Original advisory details:

 Rhodri James discovered that Expat incorrectly handled memory when

 processing certain malformed XML files. An attacker could possibly

 use this issue to cause a crash or execute arbitrary code.

Update Instructions

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.04 LTS:
   expat                           2.4.7-1ubuntu0.1
   libexpat1                       2.4.7-1ubuntu0.1

Ubuntu 20.04 LTS:
   expat                           2.2.9-1ubuntu0.5
   libexpat1                       2.2.9-1ubuntu0.5

Ubuntu 18.04 LTS:
   expat                           2.2.5-3ubuntu0.8
   libexpat1                       2.2.5-3ubuntu0.8

In general, a standard system update will make all the necessary changes.

References

  https://ubuntu.com/security/notices/USN-5638-2

  https://ubuntu.com/security/notices/USN-5638-1

  CVE-2022-40674, CVE-2022-43680

Severity
critical
Lowest
Low
Medium
High
Critical

November 17, 2022

Package Information

  https://launchpad.net/ubuntu/+source/expat/2.4.7-1ubuntu0.1
  https://launchpad.net/ubuntu/+source/expat/2.2.9-1ubuntu0.5
  https://launchpad.net/ubuntu/+source/expat/2.2.5-3ubuntu0.8

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.