CVE-2022-23852 Expat has a signed integer overflow in XML_GetBuffer for configurations with a nonzero XML_CONTEXT_BYTES.
Depending on the amount of data that is stored in a given buffer, this can lead to a crash or, potentially, the execution of arbitrary code. This issue does not affect most users, since it only occurs in the Expat parser and does not affect rendering of XML documents.
Parsing XML documents through the Expat library is a common task for many applications. The Expat library is commonly used in RSS and Atom feeds, as well as many other contexts. If an application links against the libexpat library, then it is possible that the application may be affected by this issue. This issue only affects those applications linked against the libexpat library.
What is the libexpat Parser?
The libexpat library is a C library for parsing XML documents. The libexpat library also provides the Expat parser, which is used by many applications to parse XML documents. Depending on the amount of data that is stored in a given buffer, this can lead to a crash or, potentially, the execution of arbitrary code. This issue does not affect most users, since it only occurs in the Expat parser and does not affect rendering of XML documents.
This vulnerability affects those who are using either the Expat library or its parser, which is used by many applications that make use of XML. This vulnerability applies specifically to the libexpat parser and not to other parsers such as Xerces.
Vulnerability Description
The libexpat library has a vulnerability in "CVE-2022-23852" that can lead to the execution of arbitrary code if a buffer is too small. The vulnerability only affects those applications linked against the libexpat library and does not affect applications that don't link against the libexpat library.
If an application linked against the "libexpat" library looks for a string in a buffer that's smaller than 2,048 bytes, then it may be possible for attackers to execute arbitrary code within the context of that application with privileges of the user running it. This requires physical or by crafting an XML document with an entity reference with a data size less than 2,048 bytes. This also requires either having access to write to an XML file or process XML through a web service though which one cannot write, such as HTTP GET requests.
What to do if you are using the libexpat library
If you are using the libexpat library, there is no need to take any action. The issue only affects applications that link against the libexpat library.
What is the libexpat XML parser?
The libexpat XML parser is a software library that parses and validates XML documents. The libexpat library is used in many applications, including RSS and Atom feeds, as well as other contexts.
Vulnerability Information
The vulnerability can be triggered by sending invalid XML documents to the Expat parser. This issue only affects those applications linked against the libexpat library. The vulnerability causes the application to crash or execute arbitrary code.
Vendor Response:
In a blog post, Expat says that if an application is using the libexpat library, then it's possible for it to be affected by this issue. If an application is affected by this issue, then it needs to be updated. This issue does not affect most users; since it only affects the parsing XML documents through the Expat parser, and not applications in general.
Timeline
Published on: 01/24/2022 02:15:00 UTC
Last modified on: 06/14/2022 11:15:00 UTC
References
- https://github.com/libexpat/libexpat/pull/550
- https://www.tenable.com/security/tns-2022-05
- https://www.debian.org/security/2022/dsa-5073
- https://security.netapp.com/advisory/ntap-20220217-0001/
- https://lists.debian.org/debian-lts-announce/2022/03/msg00007.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-23852