Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

suse-cvrf логотип

SUSE-SU-2025:1295-1

Опубликовано: 16 апр. 2025
Источник: suse-cvrf

Описание

Security update for expat

This update for expat fixes the following issues:

  • CVE-2024-8176: Fixed denial of service from chaining a large number of entities caused by stack overflow by resolving use of recursion (bsc#1239618)

Other fixes:

  • version update to 2.7.1 (jsc#PED-12500) Bug fixes: #980 #989 Restore event pointer behavior from Expat 2.6.4 (that the fix to CVE-2024-8176 changed in 2.7.0); affected API functions are: - XML_GetCurrentByteCount - XML_GetCurrentByteIndex - XML_GetCurrentColumnNumber - XML_GetCurrentLineNumber - XML_GetInputContext Other changes: #976 #977 Autotools: Integrate files 'fuzz/xml_lpm_fuzzer.{cpp,proto}' with Automake that were missing from 2.7.0 release tarballs #983 #984 Fix printf format specifiers for 32bit Emscripten #992 docs: Promote OpenSSF Best Practices self-certification #978 tests/benchmark: Resolve mistaken double close #986 Address compiler warnings #990 #993 Version info bumped from 11:1:10 (libexpat*.so.1.10.1) to 11:2:10 (libexpat*.so.1.10.2); see https://verbump.de/ for what these numbers do Infrastructure: #982 CI: Start running Perl XML::Parser integration tests #987 CI: Enforce Clang Static Analyzer clean code #991 CI: Re-enable warning clang-analyzer-valist.Uninitialized for clang-tidy #981 CI: Cover compilation with musl #983 #984 CI: Cover compilation with 32bit Emscripten #976 #977 CI: Protect against fuzzer files missing from future release archives

  • version update to 2.7.0 #935 #937 Autotools: Make generated CMake files look for libexpat.@SO_MAJOR@.dylib on macOS #925 Autotools: Sync CMake templates with CMake 3.29 #945 #962 #966 CMake: Drop support for CMake <3.13 #942 CMake: Small fuzzing related improvements #921 docs: Add missing documentation of error code XML_ERROR_NOT_STARTED that was introduced with 2.6.4 #941 docs: Document need for C++11 compiler for use from C++ #959 tests/benchmark: Fix a (harmless) TOCTTOU #944 Windows: Fix installer target location of file xmlwf.xml for CMake #953 Windows: Address warning -Wunknown-warning-option about -Wno-pedantic-ms-format from LLVM MinGW #971 Address Cppcheck warnings #969 #970 Mass-migrate links from http:// to https:// #947 #958 .. #974 #975 Document changes since the previous release #974 #975 Version info bumped from 11:0:10 (libexpat*.so.1.10.0) to 11:1:10 (libexpat*.so.1.10.1); see https://verbump.de/ for what these numbers do

Список пакетов

Container suse/ltss/sle12.5/sles12sp5:latest
libexpat1-2.7.1-21.43.1
SUSE Linux Enterprise Server 12 SP5-LTSS
expat-2.7.1-21.43.1
libexpat-devel-2.7.1-21.43.1
libexpat1-2.7.1-21.43.1
libexpat1-32bit-2.7.1-21.43.1
SUSE Linux Enterprise Server LTSS Extended Security 12 SP5
expat-2.7.1-21.43.1
libexpat-devel-2.7.1-21.43.1
libexpat1-2.7.1-21.43.1
libexpat1-32bit-2.7.1-21.43.1

Ссылки

Описание

A stack overflow vulnerability exists in the libexpat library due to the way it handles recursive entity expansion in XML documents. When parsing an XML document with deeply nested entity references, libexpat can be forced to recurse indefinitely, exhausting the stack space and causing a crash. This issue could lead to denial of service (DoS) or, in some cases, exploitable memory corruption, depending on the environment and library usage.

Затронутые продукты
Container suse/ltss/sle12.5/sles12sp5:latest:libexpat1-2.7.1-21.43.1
SUSE Linux Enterprise Server 12 SP5-LTSS:expat-2.7.1-21.43.1
SUSE Linux Enterprise Server 12 SP5-LTSS:libexpat-devel-2.7.1-21.43.1
SUSE Linux Enterprise Server 12 SP5-LTSS:libexpat1-2.7.1-21.43.1
Ссылки