Bug 2130769 (CVE-2022-40674) - CVE-2022-40674 expat: a use-after-free in the doContent function in xmlparse.c
Summary: CVE-2022-40674 expat: a use-after-free in the doContent function in xmlparse.c
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-40674
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2130782 2130833 2130771 2130772 2130773 2130774 2130775 2130776 2130777 2130778 2130779 2130780 2130781 2130783 2130784 2130785 2130786 2130787 2130788 2130789 2130790 2130791 2130792 2130793 2130794 2130795 2130796 2130797 2130798 2130799 2130800 2130801 2130802 2130803 2130804 2130805 2130806 2130807 2130808 2130809 2130810 2130811 2130812 2130813 2130814 2130815 2130816 2130817 2130818 2130819 2130820 2130821 2130822 2130823 2130824 2130825 2130826 2130827 2130828 2130829 2130830 2130831 2130832 2132277
Blocks: 2126822
TreeView+ depends on / blocked
 
Reported: 2022-09-29 05:02 UTC by Sandipan Roy
Modified: 2023-02-06 01:05 UTC (History)
50 users (show)

Fixed In Version: expat 2.4.9
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in expat. With this flaw, it is possible to create a situation in which parsing is suspended while substituting in an internal entity so that XML_ResumeParser directly uses the internalEntityProcessor as its processor. If the subsequent parse includes some unclosed tags, this will return without calling storeRawNames to ensure that the raw versions of the tag names are stored in memory other than the parse buffer itself. Issues occur if the parse buffer is changed or reallocated (for example, if processing a file line by line), problems occur. Using this vulnerability in the doContent function allows an attacker to triage a denial of service or potentially arbitrary code execution.
Clone Of:
Environment:
Last Closed: 2022-12-17 07:18:21 UTC

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2022:6842 0 None None None 2022-10-06 17:06:53 UTC
Red Hat Product Errata RHBA-2022:6843 0 None None None 2022-10-06 17:08:35 UTC
Red Hat Product Errata RHBA-2022:6844 0 None None None 2022-10-06 17:53:59 UTC
Red Hat Product Errata RHBA-2022:6845 0 None None None 2022-10-06 18:38:37 UTC
Red Hat Product Errata RHBA-2022:6846 0 None None None 2022-10-06 17:22:04 UTC
Red Hat Product Errata RHBA-2022:6847 0 None None None 2022-10-06 18:00:18 UTC
Red Hat Product Errata RHBA-2022:6848 0 None None None 2022-10-06 18:06:47 UTC
Red Hat Product Errata RHBA-2022:6849 0 None None None 2022-10-06 18:07:54 UTC
Red Hat Product Errata RHBA-2022:6852 0 None None None 2022-10-11 07:24:45 UTC
Red Hat Product Errata RHBA-2022:6853 0 None None None 2022-10-11 07:23:21 UTC
Red Hat Product Errata RHBA-2022:6859 0 None None None 2022-10-11 06:40:21 UTC
Red Hat Product Errata RHBA-2022:6860 0 None None None 2022-10-11 07:26:49 UTC
Red Hat Product Errata RHBA-2022:6861 0 None None None 2022-10-11 07:28:20 UTC
Red Hat Product Errata RHBA-2022:6863 0 None None None 2022-10-11 09:28:32 UTC
Red Hat Product Errata RHBA-2022:6886 0 None None None 2022-10-11 14:30:16 UTC
Red Hat Product Errata RHBA-2022:6887 0 None None None 2022-10-11 14:31:34 UTC
Red Hat Product Errata RHBA-2022:6909 0 None None None 2022-10-12 07:13:57 UTC
Red Hat Product Errata RHBA-2022:6910 0 None None None 2022-10-12 07:19:52 UTC
Red Hat Product Errata RHBA-2022:6918 0 None None None 2022-10-12 10:22:59 UTC
Red Hat Product Errata RHBA-2022:6919 0 None None None 2022-10-12 10:19:36 UTC
Red Hat Product Errata RHBA-2022:6920 0 None None None 2022-10-12 15:01:49 UTC
Red Hat Product Errata RHBA-2022:6923 0 None None None 2022-10-12 15:41:18 UTC
Red Hat Product Errata RHBA-2022:6924 0 None None None 2022-10-12 17:17:22 UTC
Red Hat Product Errata RHBA-2022:6925 0 None None None 2022-10-12 16:11:22 UTC
Red Hat Product Errata RHBA-2022:6926 0 None None None 2022-10-12 17:58:06 UTC
Red Hat Product Errata RHBA-2022:6927 0 None None None 2022-10-12 19:31:38 UTC
Red Hat Product Errata RHBA-2022:6929 0 None None None 2022-10-12 23:38:08 UTC
Red Hat Product Errata RHBA-2022:6932 0 None None None 2022-10-13 07:39:46 UTC
Red Hat Product Errata RHBA-2022:6934 0 None None None 2022-10-13 07:52:27 UTC
Red Hat Product Errata RHBA-2022:6935 0 None None None 2022-10-13 07:48:44 UTC
Red Hat Product Errata RHBA-2022:6936 0 None None None 2022-10-13 07:50:25 UTC
Red Hat Product Errata RHBA-2022:6937 0 None None None 2022-10-13 08:30:29 UTC
Red Hat Product Errata RHBA-2022:6938 0 None None None 2022-10-13 08:32:02 UTC
Red Hat Product Errata RHBA-2022:6939 0 None None None 2022-10-13 08:33:24 UTC
Red Hat Product Errata RHBA-2022:6940 0 None None None 2022-10-13 11:19:34 UTC
Red Hat Product Errata RHBA-2022:6943 0 None None None 2022-10-13 10:00:38 UTC
Red Hat Product Errata RHBA-2022:6946 0 None None None 2022-10-13 12:57:40 UTC
Red Hat Product Errata RHBA-2022:6947 0 None None None 2022-10-13 11:40:26 UTC
Red Hat Product Errata RHBA-2022:6948 0 None None None 2022-10-13 11:30:25 UTC
Red Hat Product Errata RHBA-2022:6949 0 None None None 2022-10-13 11:40:45 UTC
Red Hat Product Errata RHBA-2022:6950 0 None None None 2022-10-13 12:19:24 UTC
Red Hat Product Errata RHBA-2022:6952 0 None None None 2022-10-13 14:09:31 UTC
Red Hat Product Errata RHBA-2022:6955 0 None None None 2022-10-13 17:39:40 UTC
Red Hat Product Errata RHBA-2022:6956 0 None None None 2022-10-13 17:35:35 UTC
Red Hat Product Errata RHBA-2022:6957 0 None None None 2022-10-13 17:59:15 UTC
Red Hat Product Errata RHBA-2022:6959 0 None None None 2022-10-13 17:41:07 UTC
Red Hat Product Errata RHBA-2022:6960 0 None None None 2022-10-13 17:43:08 UTC
Red Hat Product Errata RHBA-2022:6961 0 None None None 2022-10-13 17:44:58 UTC
Red Hat Product Errata RHBA-2022:6962 0 None None None 2022-10-13 17:47:06 UTC
Red Hat Product Errata RHBA-2022:6968 0 None None None 2022-10-17 08:16:45 UTC
Red Hat Product Errata RHBA-2022:6971 0 None None None 2022-10-17 10:23:08 UTC
Red Hat Product Errata RHBA-2022:6992 0 None None None 2022-10-18 09:59:58 UTC
Red Hat Product Errata RHBA-2022:6993 0 None None None 2022-10-18 12:04:00 UTC
Red Hat Product Errata RHBA-2022:6994 0 None None None 2022-10-18 12:21:48 UTC
Red Hat Product Errata RHBA-2022:7014 0 None None None 2022-10-18 15:59:41 UTC
Red Hat Product Errata RHBA-2022:7018 0 None None None 2022-10-18 16:14:01 UTC
Red Hat Product Errata RHBA-2022:7027 0 None None None 2022-10-18 19:45:18 UTC
Red Hat Product Errata RHBA-2022:7029 0 None None None 2022-10-18 20:15:41 UTC
Red Hat Product Errata RHBA-2022:7046 0 None None None 2022-10-19 10:40:05 UTC
Red Hat Product Errata RHBA-2022:7061 0 None None None 2022-10-20 09:11:23 UTC
Red Hat Product Errata RHBA-2022:7062 0 None None None 2022-10-20 10:14:06 UTC
Red Hat Product Errata RHBA-2022:7073 0 None None None 2022-10-20 15:35:26 UTC
Red Hat Product Errata RHBA-2022:7078 0 None None None 2022-10-24 08:53:15 UTC
Red Hat Product Errata RHBA-2022:7081 0 None None None 2022-10-24 11:43:53 UTC
Red Hat Product Errata RHBA-2022:7082 0 None None None 2022-10-24 12:17:14 UTC
Red Hat Product Errata RHBA-2022:7083 0 None None None 2022-10-24 12:13:31 UTC
Red Hat Product Errata RHBA-2022:7189 0 None None None 2022-10-25 14:53:17 UTC
Red Hat Product Errata RHBA-2022:7194 0 None None None 2022-10-25 17:11:02 UTC
Red Hat Product Errata RHBA-2022:7205 0 None None None 2022-10-26 07:48:25 UTC
Red Hat Product Errata RHBA-2022:7206 0 None None None 2022-10-26 10:21:14 UTC
Red Hat Product Errata RHBA-2022:7208 0 None None None 2022-10-26 09:55:29 UTC
Red Hat Product Errata RHBA-2022:7263 0 None None None 2022-10-31 14:48:22 UTC
Red Hat Product Errata RHBA-2022:7287 0 None None None 2022-11-01 17:07:51 UTC
Red Hat Product Errata RHBA-2022:7309 0 None None None 2022-11-02 04:30:01 UTC
Red Hat Product Errata RHBA-2022:7310 0 None None None 2022-11-02 11:50:43 UTC
Red Hat Product Errata RHBA-2022:7311 0 None None None 2022-11-02 08:56:38 UTC
Red Hat Product Errata RHBA-2022:7312 0 None None None 2022-11-02 10:38:29 UTC
Red Hat Product Errata RHBA-2022:7863 0 None None None 2022-11-09 01:36:45 UTC
Red Hat Product Errata RHBA-2022:7889 0 None None None 2022-11-09 11:58:36 UTC
Red Hat Product Errata RHBA-2022:7908 0 None None None 2022-11-09 17:03:01 UTC
Red Hat Product Errata RHBA-8023:0647 0 None None None 2023-02-06 01:05:45 UTC
Red Hat Product Errata RHSA-2022:6831 0 None None None 2022-10-06 12:20:38 UTC
Red Hat Product Errata RHSA-2022:6832 0 None None None 2022-10-06 12:23:31 UTC
Red Hat Product Errata RHSA-2022:6833 0 None None None 2022-10-06 12:22:04 UTC
Red Hat Product Errata RHSA-2022:6834 0 None None None 2022-10-06 12:31:05 UTC
Red Hat Product Errata RHSA-2022:6838 0 None None None 2022-10-06 14:52:08 UTC
Red Hat Product Errata RHSA-2022:6878 0 None None None 2022-10-11 12:49:16 UTC
Red Hat Product Errata RHSA-2022:6921 0 None None None 2022-10-12 11:20:09 UTC
Red Hat Product Errata RHSA-2022:6967 0 None None None 2022-10-17 08:11:14 UTC
Red Hat Product Errata RHSA-2022:6995 0 None None None 2022-10-18 12:44:57 UTC
Red Hat Product Errata RHSA-2022:6996 0 None None None 2022-10-18 12:46:34 UTC
Red Hat Product Errata RHSA-2022:6997 0 None None None 2022-10-18 12:53:30 UTC
Red Hat Product Errata RHSA-2022:6998 0 None None None 2022-10-18 12:55:00 UTC
Red Hat Product Errata RHSA-2022:7019 0 None None None 2022-10-18 18:12:42 UTC
Red Hat Product Errata RHSA-2022:7020 0 None None None 2022-10-18 18:17:55 UTC
Red Hat Product Errata RHSA-2022:7021 0 None None None 2022-10-18 18:14:14 UTC
Red Hat Product Errata RHSA-2022:7022 0 None None None 2022-10-18 18:16:04 UTC
Red Hat Product Errata RHSA-2022:7023 0 None None None 2022-10-18 18:21:02 UTC
Red Hat Product Errata RHSA-2022:7024 0 None None None 2022-10-18 18:22:40 UTC
Red Hat Product Errata RHSA-2022:7025 0 None None None 2022-10-18 18:24:18 UTC
Red Hat Product Errata RHSA-2022:7026 0 None None None 2022-10-18 18:19:27 UTC
Red Hat Product Errata RHSA-2022:8598 0 None None None 2022-11-22 15:28:35 UTC
Red Hat Product Errata RHSA-2022:8841 0 None None None 2022-12-08 13:22:29 UTC

Description Sandipan Roy 2022-09-29 05:02:33 UTC 
libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c.

https://github.com/advisories/GHSA-2vq2-xc55-3j5m
https://github.com/libexpat/libexpat/pull/629
https://github.com/libexpat/libexpat/pull/640
https://www.debian.org/security/2022/dsa-5236
https://lists.debian.org/debian-lts-announce/2022/09/msg00029.html
Comment 1 Sandipan Roy 2022-09-29 05:17:58 UTC 
Created expat tracking bugs for this issue:

Affects: fedora-35 [bug 2130777]
Affects: fedora-36 [bug 2130780]


Created mingw-expat tracking bugs for this issue:

Affects: fedora-35 [bug 2130778]
Affects: fedora-36 [bug 2130781]


Created xmlrpc-c tracking bugs for this issue:

Affects: fedora-35 [bug 2130779]
Affects: fedora-36 [bug 2130782]
Comment 8 errata-xmlrpc 2022-10-06 12:20:32 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:6831 https://access.redhat.com/errata/RHSA-2022:6831
Comment 9 errata-xmlrpc 2022-10-06 12:21:59 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2022:6833 https://access.redhat.com/errata/RHSA-2022:6833
Comment 10 errata-xmlrpc 2022-10-06 12:23:26 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2022:6832 https://access.redhat.com/errata/RHSA-2022:6832
Comment 11 errata-xmlrpc 2022-10-06 12:30:59 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2022:6834 https://access.redhat.com/errata/RHSA-2022:6834
Comment 12 errata-xmlrpc 2022-10-06 14:52:03 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:6838 https://access.redhat.com/errata/RHSA-2022:6838
Comment 13 errata-xmlrpc 2022-10-11 12:49:12 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:6878 https://access.redhat.com/errata/RHSA-2022:6878
Comment 14 errata-xmlrpc 2022-10-12 11:20:04 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6 Extended Lifecycle Support

Via RHSA-2022:6921 https://access.redhat.com/errata/RHSA-2022:6921
Comment 15 errata-xmlrpc 2022-10-17 08:11:08 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6 Extended Lifecycle Support

Via RHSA-2022:6967 https://access.redhat.com/errata/RHSA-2022:6967
Comment 16 errata-xmlrpc 2022-10-18 12:44:51 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:6995 https://access.redhat.com/errata/RHSA-2022:6995
Comment 17 errata-xmlrpc 2022-10-18 12:46:28 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2022:6996 https://access.redhat.com/errata/RHSA-2022:6996
Comment 18 errata-xmlrpc 2022-10-18 12:53:24 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2022:6997 https://access.redhat.com/errata/RHSA-2022:6997
Comment 19 errata-xmlrpc 2022-10-18 12:54:55 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2022:6998 https://access.redhat.com/errata/RHSA-2022:6998
Comment 20 errata-xmlrpc 2022-10-18 18:12:36 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2022:7019 https://access.redhat.com/errata/RHSA-2022:7019
Comment 21 errata-xmlrpc 2022-10-18 18:14:08 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2022:7021 https://access.redhat.com/errata/RHSA-2022:7021
Comment 22 errata-xmlrpc 2022-10-18 18:15:58 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2022:7022 https://access.redhat.com/errata/RHSA-2022:7022
Comment 23 errata-xmlrpc 2022-10-18 18:17:49 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:7020 https://access.redhat.com/errata/RHSA-2022:7020
Comment 24 errata-xmlrpc 2022-10-18 18:19:21 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:7026 https://access.redhat.com/errata/RHSA-2022:7026
Comment 25 errata-xmlrpc 2022-10-18 18:20:58 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7023 https://access.redhat.com/errata/RHSA-2022:7023
Comment 26 errata-xmlrpc 2022-10-18 18:22:35 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7024 https://access.redhat.com/errata/RHSA-2022:7024
Comment 27 errata-xmlrpc 2022-10-18 18:24:14 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:7025 https://access.redhat.com/errata/RHSA-2022:7025
Comment 29 errata-xmlrpc 2022-11-22 15:28:32 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 8

Via RHSA-2022:8598 https://access.redhat.com/errata/RHSA-2022:8598
Comment 30 errata-xmlrpc 2022-12-08 13:22:24 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Core Services

Via RHSA-2022:8841 https://access.redhat.com/errata/RHSA-2022:8841
Comment 31 Product Security DevOps Team 2022-12-17 07:18:15 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-40674
Note You need to log in before you can comment on or make changes to this bug.