Bug 2056366 (CVE-2022-25235)
| Summary: | CVE-2022-25235 expat: Malformed 2- and 3-byte UTF-8 sequences can lead to arbitrary code execution | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Avinash Hanwate <ahanwate> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | abrt-devel-list, amaumene, bdettelb, caswilli, csutherl, erack, erik-fedora, fhrdina, fjansen, gzaronik, jburrell, jclere, jhorak, jkoehler, jorton, jwong, jwon, kaycoth, manisandro, michal.skrivanek, micjohns, mperina, mturk, nikhjain, nobody, ofalk, pjindal, psegedy, rcritten, rh-bugzilla, rh-spice-bugs, rjones, sthirugn, stransky, szappis, tcarlin, tfister, tkasparek, tkorbar, tpopela, tsasak, vkrizan, vkumar, vmugicag |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | expat 2.4.5 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in expat. Passing malformed 2- and 3-byte UTF-8 sequences (for example, from start tag names) to the XML processing application on top of expat can lead to arbitrary code execution. This issue is dependent on how invalid UTF-8 is handled inside the XML processor.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-12-04 00:17:41 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2056367, 2056368, 2057031, 2057032, 2057033, 2057034, 2057035, 2057036, 2057037, 2057090, 2057323, 2057324, 2057430, 2058088, 2058089, 2058090, 2058091, 2058092, 2058093, 2058094, 2058095, 2058096, 2058097, 2058098, 2058099, 2058100, 2058101, 2058102, 2058103, 2058104, 2058105, 2058106, 2058107, 2058108, 2058109, 2058110, 2058111, 2058112, 2058113, 2058114, 2058115, 2058116, 2058117, 2058349, 2058352, 2065579, 2065582, 2070469, 2070481, 2072092, 2072228 | ||
| Bug Blocks: | 2056373 | ||
|
Description
Avinash Hanwate
2022-02-21 05:24:36 UTC
Created expat tracking bugs for this issue: Affects: fedora-all [bug 2056367] Created mingw-expat tracking bugs for this issue: Affects: fedora-all [bug 2056368] Upstream commit: https://github.com/libexpat/libexpat/commit/3f0a0cb644438d4d8e3294cd0b1245d0edb0c6c6 Created xmlrpc-c tracking bugs for this issue: Affects: fedora-all [bug 2057430] This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions Via RHSA-2022:0815 https://access.redhat.com/errata/RHSA-2022:0815 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2022:0816 https://access.redhat.com/errata/RHSA-2022:0816 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:0818 https://access.redhat.com/errata/RHSA-2022:0818 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Extended Update Support Via RHSA-2022:0817 https://access.redhat.com/errata/RHSA-2022:0817 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2022:0824 https://access.redhat.com/errata/RHSA-2022:0824 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2022:0843 https://access.redhat.com/errata/RHSA-2022:0843 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions Via RHSA-2022:0847 https://access.redhat.com/errata/RHSA-2022:0847 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:0845 https://access.redhat.com/errata/RHSA-2022:0845 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Extended Update Support Via RHSA-2022:0853 https://access.redhat.com/errata/RHSA-2022:0853 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2022:0850 https://access.redhat.com/errata/RHSA-2022:0850 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:0951 https://access.redhat.com/errata/RHSA-2022:0951 Created expat tracking bugs for this issue: Affects: oVirt 4.4 [ bug 2065579 ] Affects: CentOS Stream 8 [ bug 2065582 ] This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Extended Update Support Via RHSA-2022:1012 https://access.redhat.com/errata/RHSA-2022:1012 This issue has been addressed in the following products: Red Hat Virtualization 4 for Red Hat Enterprise Linux 8 Via RHSA-2022:1053 https://access.redhat.com/errata/RHSA-2022:1053 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions Via RHSA-2022:1068 https://access.redhat.com/errata/RHSA-2022:1068 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2022:1070 https://access.redhat.com/errata/RHSA-2022:1070 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2022:1069 https://access.redhat.com/errata/RHSA-2022:1069 This issue has been addressed in the following products: Red Hat Virtualization 4 for Red Hat Enterprise Linux 7 Via RHSA-2022:1263 https://access.redhat.com/errata/RHSA-2022:1263 This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Extended Lifecycle Support Via RHSA-2022:1309 https://access.redhat.com/errata/RHSA-2022:1309 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions Via RHSA-2022:1539 https://access.redhat.com/errata/RHSA-2022:1539 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2022:1540 https://access.redhat.com/errata/RHSA-2022:1540 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Extended Update Support Via RHSA-2022:1644 https://access.redhat.com/errata/RHSA-2022:1644 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:1643 https://access.redhat.com/errata/RHSA-2022:1643 This issue has been addressed in the following products: Red Hat JBoss Core Services Via RHSA-2022:7144 https://access.redhat.com/errata/RHSA-2022:7144 This issue has been addressed in the following products: JBoss Core Services on RHEL 7 JBoss Core Services for RHEL 8 Via RHSA-2022:7143 https://access.redhat.com/errata/RHSA-2022:7143 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:7811 https://access.redhat.com/errata/RHSA-2022:7811 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-25235 |