Bug 2056370 (CVE-2022-25236) - CVE-2022-25236 expat: Namespace-separator characters in "xmlns[:prefix]" attribute values can lead to arbitrary code execution
Summary: CVE-2022-25236 expat: Namespace-separator characters in "xmlns[:prefix]" attr...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-25236
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2056371 2056372 2057008 2057009 2057010 2057011 2057012 2057013 2057014 2057023 2057323 2057324 2057429 2058055 2058056 2058057 2058058 2058059 2058060 2058061 2058062 2058063 2058064 2058065 2058066 2058067 2058068 2058069 2058070 2058071 2058072 2058073 2058074 2058075 2058076 2058077 2058078 2058079 2058080 2058081 2058082 2058083 2058084 2058350 2058353 2064169 2065579 2065582 2070468 2072093
Blocks: 2056373
TreeView+ depends on / blocked
 
Reported: 2022-02-21 05:30 UTC by Avinash Hanwate
Modified: 2023-05-16 16:16 UTC (History)
41 users (show)

Fixed In Version: expat 2.4.5
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in expat. Passing one or more namespace separator characters in the "xmlns[:prefix]" attribute values made expat send malformed tag names to the XML processor on top of expat. This issue causes arbitrary code execution depending on how unexpected cases are handled inside the XML processor.
Clone Of:
Environment:
Last Closed: 2022-12-04 00:32:45 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2022:0953 0 None None None 2022-03-16 21:53:39 UTC
Red Hat Product Errata RHBA-2022:0957 0 None None None 2022-03-17 15:58:27 UTC
Red Hat Product Errata RHBA-2022:0959 0 None None None 2022-03-17 17:17:52 UTC
Red Hat Product Errata RHBA-2022:0960 0 None None None 2022-03-17 17:34:11 UTC
Red Hat Product Errata RHBA-2022:0964 0 None None None 2022-03-17 21:26:57 UTC
Red Hat Product Errata RHBA-2022:0965 0 None None None 2022-03-17 21:56:46 UTC
Red Hat Product Errata RHBA-2022:0976 0 None None None 2022-03-21 11:35:15 UTC
Red Hat Product Errata RHBA-2022:0977 0 None None None 2022-03-21 11:36:23 UTC
Red Hat Product Errata RHBA-2022:0978 0 None None None 2022-03-21 11:36:51 UTC
Red Hat Product Errata RHBA-2022:0979 0 None None None 2022-03-21 14:37:14 UTC
Red Hat Product Errata RHBA-2022:0980 0 None None None 2022-03-21 14:44:43 UTC
Red Hat Product Errata RHBA-2022:0981 0 None None None 2022-03-21 14:42:19 UTC
Red Hat Product Errata RHBA-2022:1005 0 None None None 2022-03-22 08:41:48 UTC
Red Hat Product Errata RHBA-2022:1014 0 None None None 2022-03-22 17:11:06 UTC
Red Hat Product Errata RHBA-2022:1016 0 None None None 2022-03-22 20:25:19 UTC
Red Hat Product Errata RHBA-2022:1031 0 None None None 2022-03-23 11:13:02 UTC
Red Hat Product Errata RHBA-2022:1046 0 None None None 2022-03-24 09:35:49 UTC
Red Hat Product Errata RHBA-2022:1048 0 None None None 2022-03-24 10:43:31 UTC
Red Hat Product Errata RHBA-2022:1057 0 None None None 2022-03-24 16:13:27 UTC
Red Hat Product Errata RHBA-2022:1058 0 None None None 2022-03-24 15:32:39 UTC
Red Hat Product Errata RHBA-2022:1079 0 None None None 2022-03-28 11:32:26 UTC
Red Hat Product Errata RHBA-2022:1085 0 None None None 2022-03-28 18:10:51 UTC
Red Hat Product Errata RHBA-2022:1089 0 None None None 2022-03-29 01:11:49 UTC
Red Hat Product Errata RHBA-2022:1099 0 None None None 2022-03-29 07:42:31 UTC
Red Hat Product Errata RHBA-2022:1100 0 None None None 2022-03-29 07:40:14 UTC
Red Hat Product Errata RHBA-2022:1101 0 None None None 2022-03-29 08:13:46 UTC
Red Hat Product Errata RHBA-2022:1117 0 None None None 2022-03-29 15:05:31 UTC
Red Hat Product Errata RHBA-2022:1118 0 None None None 2022-03-29 15:07:31 UTC
Red Hat Product Errata RHBA-2022:1119 0 None None None 2022-03-29 15:08:36 UTC
Red Hat Product Errata RHBA-2022:1120 0 None None None 2022-03-29 15:12:00 UTC
Red Hat Product Errata RHBA-2022:1121 0 None None None 2022-03-29 15:10:25 UTC
Red Hat Product Errata RHBA-2022:1122 0 None None None 2022-03-29 15:18:04 UTC
Red Hat Product Errata RHBA-2022:1125 0 None None None 2022-03-29 15:36:51 UTC
Red Hat Product Errata RHBA-2022:1126 0 None None None 2022-03-29 19:10:57 UTC
Red Hat Product Errata RHBA-2022:1127 0 None None None 2022-03-29 19:11:51 UTC
Red Hat Product Errata RHBA-2022:1130 0 None None None 2022-03-29 17:45:31 UTC
Red Hat Product Errata RHBA-2022:1131 0 None None None 2022-03-29 18:13:37 UTC
Red Hat Product Errata RHBA-2022:1140 0 None None None 2022-03-30 13:35:52 UTC
Red Hat Product Errata RHBA-2022:1150 0 None None None 2022-03-31 18:41:30 UTC
Red Hat Product Errata RHBA-2022:1172 0 None None None 2022-04-04 08:24:27 UTC
Red Hat Product Errata RHBA-2022:1176 0 None None None 2022-04-04 10:45:39 UTC
Red Hat Product Errata RHBA-2022:1191 0 None None None 2022-04-05 13:28:46 UTC
Red Hat Product Errata RHBA-2022:1258 0 None None None 2022-04-06 17:10:25 UTC
Red Hat Product Errata RHBA-2022:1289 0 None None None 2022-04-11 05:59:59 UTC
Red Hat Product Errata RHBA-2022:1308 0 None None None 2022-04-11 14:51:20 UTC
Red Hat Product Errata RHBA-2022:1319 0 None None None 2022-04-12 11:31:20 UTC
Red Hat Product Errata RHBA-2022:1380 0 None None None 2022-04-18 10:57:48 UTC
Red Hat Product Errata RHBA-2022:1385 0 None None None 2022-04-18 13:53:44 UTC
Red Hat Product Errata RHBA-2022:1392 0 None None None 2022-04-19 08:56:42 UTC
Red Hat Product Errata RHBA-2022:1434 0 None None None 2022-04-20 06:53:19 UTC
Red Hat Product Errata RHBA-2022:1495 0 None None None 2022-04-21 14:03:03 UTC
Red Hat Product Errata RHBA-2022:1507 0 None None None 2022-04-21 16:15:03 UTC
Red Hat Product Errata RHBA-2022:1608 0 None None None 2022-04-27 07:57:00 UTC
Red Hat Product Errata RHBA-2022:1609 0 None None None 2022-04-27 07:16:24 UTC
Red Hat Product Errata RHBA-2022:1610 0 None None None 2022-04-27 07:18:00 UTC
Red Hat Product Errata RHBA-2022:1611 0 None None None 2022-04-27 07:19:08 UTC
Red Hat Product Errata RHBA-2022:1612 0 None None None 2022-04-27 07:20:49 UTC
Red Hat Product Errata RHBA-2022:1613 0 None None None 2022-04-27 07:21:38 UTC
Red Hat Product Errata RHBA-2022:1614 0 None Waiting on Customer Egress traffic correct mac address leaves the cluster wrong one comes back 2022-06-27 15:55:49 UTC
Red Hat Product Errata RHBA-2022:1615 0 None Waiting on Customer How to configure a default namespace for Podman socket API? 2022-05-10 14:46:26 UTC
Red Hat Product Errata RHBA-2022:1616 0 None None None 2022-04-27 07:27:25 UTC
Red Hat Product Errata RHBA-2022:1639 0 None Waiting on Red Hat rhel-system-roles.network is not able to configure all features 2022-06-23 10:09:10 UTC
Red Hat Product Errata RHSA-2022:0815 0 None None None 2022-03-10 15:06:50 UTC
Red Hat Product Errata RHSA-2022:0816 0 None None None 2022-03-10 15:14:43 UTC
Red Hat Product Errata RHSA-2022:0817 0 None None None 2022-03-10 15:24:53 UTC
Red Hat Product Errata RHSA-2022:0818 0 None None None 2022-03-10 15:18:56 UTC
Red Hat Product Errata RHSA-2022:0824 0 None None None 2022-03-10 16:28:14 UTC
Red Hat Product Errata RHSA-2022:0843 0 None None None 2022-03-14 10:04:49 UTC
Red Hat Product Errata RHSA-2022:0845 0 None None None 2022-03-14 10:13:35 UTC
Red Hat Product Errata RHSA-2022:0847 0 None Waiting on Customer USB device not mounting on RHEL 8.5 system 2022-04-12 13:24:48 UTC
Red Hat Product Errata RHSA-2022:0850 0 None None None 2022-03-14 10:44:45 UTC
Red Hat Product Errata RHSA-2022:0853 0 None None None 2022-03-14 10:26:34 UTC
Red Hat Product Errata RHSA-2022:0951 0 None None None 2022-03-16 16:17:42 UTC
Red Hat Product Errata RHSA-2022:1012 0 None None None 2022-03-22 16:20:15 UTC
Red Hat Product Errata RHSA-2022:1053 0 None None None 2022-03-24 13:30:52 UTC
Red Hat Product Errata RHSA-2022:1068 0 None None None 2022-03-28 08:56:47 UTC
Red Hat Product Errata RHSA-2022:1069 0 None Closed Cluster Version Operator timeout at bypassed proxy. 2022-04-29 14:25:52 UTC
Red Hat Product Errata RHSA-2022:1070 0 None None None 2022-03-28 09:43:18 UTC
Red Hat Product Errata RHSA-2022:1263 0 None None None 2022-04-07 09:03:43 UTC
Red Hat Product Errata RHSA-2022:1309 0 None None None 2022-04-12 15:45:35 UTC
Red Hat Product Errata RHSA-2022:7143 0 None None None 2022-10-26 20:22:09 UTC
Red Hat Product Errata RHSA-2022:7144 0 None None None 2022-10-26 20:08:36 UTC
Red Hat Product Errata RHSA-2022:7811 0 None None None 2022-11-08 10:34:48 UTC

Description Avinash Hanwate 2022-02-21 05:30:26 UTC 
xmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to insert namespace-separator characters into namespace URIs.

http://www.openwall.com/lists/oss-security/2022/02/19/1
https://github.com/libexpat/libexpat/pull/561
Comment 1 Avinash Hanwate 2022-02-21 05:30:58 UTC 
Created expat tracking bugs for this issue:

Affects: fedora-all [bug 2056371]


Created mingw-expat tracking bugs for this issue:

Affects: fedora-all [bug 2056372]
Comment 4 Mauro Matteo Cascella 2022-02-22 15:18:17 UTC 
Upstream commit:
https://github.com/libexpat/libexpat/commit/a2fe525e660badd64b6c557c2b1ec26ddc07f6e4
Comment 7 Mauro Matteo Cascella 2022-02-23 11:51:31 UTC 
Created xmlrpc-c tracking bugs for this issue:

Affects: fedora-all [bug 2057429]
Comment 13 errata-xmlrpc 2022-03-10 15:06:46 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2022:0815 https://access.redhat.com/errata/RHSA-2022:0815
Comment 14 errata-xmlrpc 2022-03-10 15:14:40 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2022:0816 https://access.redhat.com/errata/RHSA-2022:0816
Comment 15 errata-xmlrpc 2022-03-10 15:18:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:0818 https://access.redhat.com/errata/RHSA-2022:0818
Comment 16 errata-xmlrpc 2022-03-10 15:24:49 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:0817 https://access.redhat.com/errata/RHSA-2022:0817
Comment 17 errata-xmlrpc 2022-03-10 16:28:10 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2022:0824 https://access.redhat.com/errata/RHSA-2022:0824
Comment 18 errata-xmlrpc 2022-03-14 10:04:45 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2022:0843 https://access.redhat.com/errata/RHSA-2022:0843
Comment 19 errata-xmlrpc 2022-03-14 10:07:53 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2022:0847 https://access.redhat.com/errata/RHSA-2022:0847
Comment 20 errata-xmlrpc 2022-03-14 10:13:30 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:0845 https://access.redhat.com/errata/RHSA-2022:0845
Comment 21 errata-xmlrpc 2022-03-14 10:26:30 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:0853 https://access.redhat.com/errata/RHSA-2022:0853
Comment 22 errata-xmlrpc 2022-03-14 10:44:41 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2022:0850 https://access.redhat.com/errata/RHSA-2022:0850
Comment 23 errata-xmlrpc 2022-03-16 16:17:37 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:0951 https://access.redhat.com/errata/RHSA-2022:0951
Comment 24 Sandro Bonazzola 2022-03-18 09:18:18 UTC 
Created expat tracking bugs for this issue:

Affects: oVirt 4.4 [ bug 2065579 ]

Affects: CentOS Stream 8 [ bug 2065582 ]
Comment 25 errata-xmlrpc 2022-03-22 16:20:11 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:1012 https://access.redhat.com/errata/RHSA-2022:1012
Comment 26 errata-xmlrpc 2022-03-24 13:30:47 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 8

Via RHSA-2022:1053 https://access.redhat.com/errata/RHSA-2022:1053
Comment 27 errata-xmlrpc 2022-03-28 08:56:44 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2022:1068 https://access.redhat.com/errata/RHSA-2022:1068
Comment 28 errata-xmlrpc 2022-03-28 09:43:15 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2022:1070 https://access.redhat.com/errata/RHSA-2022:1070
Comment 29 errata-xmlrpc 2022-03-28 11:49:43 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2022:1069 https://access.redhat.com/errata/RHSA-2022:1069
Comment 31 errata-xmlrpc 2022-04-07 09:03:39 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 7

Via RHSA-2022:1263 https://access.redhat.com/errata/RHSA-2022:1263
Comment 32 errata-xmlrpc 2022-04-12 15:45:31 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6 Extended Lifecycle Support

Via RHSA-2022:1309 https://access.redhat.com/errata/RHSA-2022:1309
Comment 33 errata-xmlrpc 2022-10-26 20:08:31 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Core Services

Via RHSA-2022:7144 https://access.redhat.com/errata/RHSA-2022:7144
Comment 34 errata-xmlrpc 2022-10-26 20:22:03 UTC 
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 7
  JBoss Core Services for RHEL 8

Via RHSA-2022:7143 https://access.redhat.com/errata/RHSA-2022:7143
Comment 36 errata-xmlrpc 2022-11-08 10:34:44 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7811 https://access.redhat.com/errata/RHSA-2022:7811
Comment 37 Product Security DevOps Team 2022-12-04 00:32:41 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-25236
Note You need to log in before you can comment on or make changes to this bug.