Описание
xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of encoding, such as checks for whether a UTF-8 character is valid in a certain context.
A flaw was found in expat. Passing malformed 2- and 3-byte UTF-8 sequences (for example, from start tag names) to the XML processing application on top of expat can lead to arbitrary code execution. This issue is dependent on how invalid UTF-8 is handled inside the XML processor.
Отчет
This flaw affects applications that leverage expat to parse untrusted XML files. Applications that only parse trusted XML files or do not process XML files at all are not affected by this flaw.
Меры по смягчению последствий
There is no known mitigation other than restricting applications using the expat library from processing untrusted XML content. Please update the affected packages as soon as possible.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 8 | firefox:flatpak/firefox | Affected | ||
| Red Hat Enterprise Linux 8 | thunderbird:flatpak/thunderbird | Affected | ||
| Red Hat Enterprise Linux 9 | firefox | Not affected | ||
| Red Hat Enterprise Linux 9 | thunderbird | Not affected | ||
| Red Hat Enterprise Linux 9 | xmlrpc-c | Not affected | ||
| Red Hat Enterprise Linux 6 Extended Lifecycle Support | expat | Fixed | RHSA-2022:1309 | 12.04.2022 |
| Red Hat Enterprise Linux 7 | firefox | Fixed | RHSA-2022:0824 | 10.03.2022 |
| Red Hat Enterprise Linux 7 | thunderbird | Fixed | RHSA-2022:0850 | 14.03.2022 |
| Red Hat Enterprise Linux 7 | expat | Fixed | RHSA-2022:1069 | 28.03.2022 |
| Red Hat Enterprise Linux 8 | firefox | Fixed | RHSA-2022:0818 | 10.03.2022 |
Показывать по
Дополнительная информация
Статус:
9.8 Critical
CVSS3
Связанные уязвимости
xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of encoding, such as checks for whether a UTF-8 character is valid in a certain context.
xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of encoding, such as checks for whether a UTF-8 character is valid in a certain context.
xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain valid ...
xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of encoding, such as checks for whether a UTF-8 character is valid in a certain context.
9.8 Critical
CVSS3