Bug 2056363 (CVE-2022-25315)

Summary: CVE-2022-25315 expat: Integer overflow in storeRawNames()
Product: [Other] Security Response Reporter: Avinash Hanwate <ahanwate>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: abrt-devel-list, bdettelb, caswilli, csutherl, ecrosby, erack, erik-fedora, fdupont, fhrdina, fjansen, gzaronik, jburrell, jclere, jhorak, jkoehler, jorton, jwong, jwon, kaycoth, manisandro, mcascell, michal.skrivanek, micjohns, mperina, mturk, nobody, oliver, pjindal, psegedy, rcritten, rh-bugzilla, rh-spice-bugs, rjones, security-response-team, sthirugn, stransky, szappis, tcarlin, tfister, tkasparek, tkorbar, tpopela, tsasak, vkrizan, vkumar, vmugicag
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: expat 2.4.5 Doc Type: If docs needed, set a value
Doc Text:
An integer overflow was found in expat. The issue occurs in storeRawNames() by abusing the m_buffer expansion logic to allow allocations very close to INT_MAX and out-of-bounds heap writes. This flaw can cause a denial of service or potentially arbitrary code execution.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-12-03 23:33:18 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2056364, 2056365, 2057121, 2057122, 2057123, 2057124, 2057125, 2057126, 2057127, 2057128, 2057323, 2057324, 2057431, 2058118, 2058119, 2058120, 2058121, 2058122, 2058123, 2058124, 2058125, 2058126, 2058127, 2058128, 2058129, 2058130, 2058131, 2058132, 2058133, 2058134, 2058135, 2058136, 2058137, 2058138, 2058139, 2058140, 2058141, 2058351, 2058354, 2065579, 2065582, 2070471, 2072091    
Bug Blocks: 2056373    

Description Avinash Hanwate 2022-02-21 05:10:16 UTC 
In Expat (aka libexpat) before 2.4.5, there is an integer overflow in storeRawNames.

https://github.com/libexpat/libexpat/pull/559
http://www.openwall.com/lists/oss-security/2022/02/19/1
Comment 1 Avinash Hanwate 2022-02-21 05:10:46 UTC 
Created expat tracking bugs for this issue:

Affects: fedora-all [bug 2056364]


Created mingw-expat tracking bugs for this issue:

Affects: fedora-all [bug 2056365]
Comment 2 Mauro Matteo Cascella 2022-02-22 18:26:23 UTC 
Upstream commit:
https://github.com/libexpat/libexpat/commit/eb0362808b4f9f1e2345a0cf203b8cc196d776d9
Comment 8 Mauro Matteo Cascella 2022-02-23 11:52:00 UTC 
Created xmlrpc-c tracking bugs for this issue:

Affects: fedora-all [bug 2057431]
Comment 16 errata-xmlrpc 2022-03-10 15:06:24 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2022:0815 https://access.redhat.com/errata/RHSA-2022:0815
Comment 17 errata-xmlrpc 2022-03-10 15:14:19 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2022:0816 https://access.redhat.com/errata/RHSA-2022:0816
Comment 18 errata-xmlrpc 2022-03-10 15:18:30 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:0818 https://access.redhat.com/errata/RHSA-2022:0818
Comment 19 errata-xmlrpc 2022-03-10 15:24:29 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:0817 https://access.redhat.com/errata/RHSA-2022:0817
Comment 20 errata-xmlrpc 2022-03-10 16:27:50 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2022:0824 https://access.redhat.com/errata/RHSA-2022:0824
Comment 21 errata-xmlrpc 2022-03-14 10:04:35 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2022:0843 https://access.redhat.com/errata/RHSA-2022:0843
Comment 22 errata-xmlrpc 2022-03-14 10:07:42 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2022:0847 https://access.redhat.com/errata/RHSA-2022:0847
Comment 23 errata-xmlrpc 2022-03-14 10:13:08 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:0845 https://access.redhat.com/errata/RHSA-2022:0845
Comment 24 errata-xmlrpc 2022-03-14 10:26:01 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:0853 https://access.redhat.com/errata/RHSA-2022:0853
Comment 25 errata-xmlrpc 2022-03-14 10:44:26 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2022:0850 https://access.redhat.com/errata/RHSA-2022:0850
Comment 26 errata-xmlrpc 2022-03-16 16:17:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:0951 https://access.redhat.com/errata/RHSA-2022:0951
Comment 27 Sandro Bonazzola 2022-03-18 09:18:44 UTC 
Created expat tracking bugs for this issue:

Affects: oVirt 4.4 [ bug 2065579 ]

Affects: CentOS Stream 8 [ bug 2065582 ]
Comment 28 errata-xmlrpc 2022-03-22 16:20:08 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:1012 https://access.redhat.com/errata/RHSA-2022:1012
Comment 29 errata-xmlrpc 2022-03-24 13:30:46 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 8

Via RHSA-2022:1053 https://access.redhat.com/errata/RHSA-2022:1053
Comment 32 errata-xmlrpc 2022-03-28 08:56:23 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2022:1068 https://access.redhat.com/errata/RHSA-2022:1068
Comment 33 errata-xmlrpc 2022-03-28 09:43:03 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2022:1070 https://access.redhat.com/errata/RHSA-2022:1070
Comment 34 errata-xmlrpc 2022-03-28 11:49:42 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2022:1069 https://access.redhat.com/errata/RHSA-2022:1069
Comment 36 errata-xmlrpc 2022-04-07 09:03:34 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 7

Via RHSA-2022:1263 https://access.redhat.com/errata/RHSA-2022:1263
Comment 37 errata-xmlrpc 2022-04-12 15:45:30 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6 Extended Lifecycle Support

Via RHSA-2022:1309 https://access.redhat.com/errata/RHSA-2022:1309
Comment 38 errata-xmlrpc 2022-10-26 20:08:18 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Core Services

Via RHSA-2022:7144 https://access.redhat.com/errata/RHSA-2022:7144
Comment 39 errata-xmlrpc 2022-10-26 20:22:19 UTC 
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 7
  JBoss Core Services for RHEL 8

Via RHSA-2022:7143 https://access.redhat.com/errata/RHSA-2022:7143
Comment 41 errata-xmlrpc 2022-11-08 10:34:25 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7811 https://access.redhat.com/errata/RHSA-2022:7811
Comment 42 Product Security DevOps Team 2022-12-03 23:33:12 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-25315