Bug 2140059 (CVE-2022-43680)

Summary: CVE-2022-43680 expat: use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate
Product: [Other] Security Response Reporter: Sandipan Roy <saroy>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: csutherl, erack, fhrdina, jclere, jhorak, jwon, kyoshida, mturk, peholase, pjindal, plodge, rcritten, rh-spice-bugs, stransky, szappis, tkorbar, tpopela
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: expat 2.5.0 Doc Type: If docs needed, set a value
Doc Text:
A use-after-free flaw was found in the Expat package, caused by destruction of a shared DTD in XML_ExternalEntityParserCreate in out-of-memory situations. This may lead to availability disruptions.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-03-17 16:27:38 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2140060, 2140061, 2140062, 2140063, 2140064, 2140065, 2140678, 2140679, 2140680, 2140681, 2140682, 2140683, 2140684, 2140685, 2140686, 2140687, 2140688, 2140689, 2140690, 2141014, 2141015, 2141016, 2141017    
Bug Blocks: 2137402, 2169449    

Description Sandipan Roy 2022-11-04 10:19:45 UTC 
In libexpat through 2.4.9, there is a use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate in out-of-memory situations.

https://github.com/libexpat/libexpat/pull/650
https://github.com/libexpat/libexpat/pull/616
https://github.com/libexpat/libexpat/issues/649
https://lists.debian.org/debian-lts-announce/2022/10/msg00033.html
https://www.debian.org/security/2022/dsa-5266
https://security.gentoo.org/glsa/202210-38
Comment 1 Sandipan Roy 2022-11-04 10:24:43 UTC 
Created expat tracking bugs for this issue:

Affects: fedora-35 [bug 2140060]
Affects: fedora-36 [bug 2140063]


Created mingw-expat tracking bugs for this issue:

Affects: fedora-35 [bug 2140061]
Affects: fedora-36 [bug 2140064]


Created xmlrpc-c tracking bugs for this issue:

Affects: fedora-35 [bug 2140062]
Affects: fedora-36 [bug 2140065]
Comment 4 errata-xmlrpc 2023-01-12 09:20:11 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:0103 https://access.redhat.com/errata/RHSA-2023:0103
Comment 5 errata-xmlrpc 2023-01-23 15:21:48 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:0337 https://access.redhat.com/errata/RHSA-2023:0337
Comment 6 Product Security DevOps Team 2023-03-17 16:27:34 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-43680
Comment 7 errata-xmlrpc 2023-06-05 11:46:58 UTC 
This issue has been addressed in the following products:

  JBCS httpd 2.4.51.sp2

Via RHSA-2023:3355 https://access.redhat.com/errata/RHSA-2023:3355
Comment 9 errata-xmlrpc 2024-01-24 16:48:08 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2024:0421 https://access.redhat.com/errata/RHSA-2024:0421