1. Forum
  2. Usenet
  3. LINUX.GENTOO.ANNOUNCE

  • [gentoo-announce] [ GLSA 202210-38 ] Expat: Denial of Service

    From glsamaker@gentoo.org@21:1/5 to All on Mon Oct 31 21:40:01 2022
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Gentoo Linux Security Advisory GLSA 202210-38
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    https://security.gentoo.org/
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Severity: Low
    Title: Expat: Denial of Service
    Date: October 31, 2022
    Bugs: #878271
    ID: 202210-38

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Synopsis
    ========

    A vulnerability has been found in Expat which could result in denial of service.

    Background
    ==========

    Expat is a set of XML parsing libraries.

    Affected packages
    =================

    -------------------------------------------------------------------
    Package / Vulnerable / Unaffected
    -------------------------------------------------------------------
    1 dev-libs/expat < 2.5.0 >= 2.5.0

    Description
    ===========

    In certain out-of-memory situations, Expat may free memory before it
    should, leading to a use-after-free.

    Impact
    ======

    A use-after-free can result in denial of service.

    Workaround
    ==========

    There is no known workaround at this time.

    Resolution
    ==========

    All Expat users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=dev-libs/expat-2.5.0"

    References
    ==========

    [ 1 ] CVE-2022-43680
    https://nvd.nist.gov/vuln/detail/CVE-2022-43680

    Availability
    ============

    This GLSA and any updates to it are available for viewing at
    the Gentoo Security Website:

    https://security.gentoo.org/glsa/202210-38

    Concerns?
    =========

    Security is a primary focus of Gentoo Linux and ensuring the
    confidentiality and security of our users' machines is of utmost
    importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.

    License
    =======

    Copyright 2022 Gentoo Foundation, Inc; referenced text
    belongs to its owner(s).

    The contents of this document are licensed under the
    Creative Commons - Attribution / Share Alike license.

    https://creativecommons.org/licenses/by-sa/2.5
    -----BEGIN PGP SIGNATURE-----

    iQIzBAEBCgAdFiEEpqTA6ABLMxh/aChGFMQkOaVy+9kFAmNgLpcACgkQFMQkOaVy +9mkmhAAntkQZSmq/TTmokrcUnvmvJhKy6HZSY/Qckxd+e+IUG+Iof0UFF4BfOvh RUzbErPpM8U9xP5cZX1xiROA+XiVmjgZn4qcoRz44Xc+ixg2A+0uzjrLSmlpI4Bt fMxgT8h+NeywDeRQl6tzM8eZOzefPCVsYniBZk52KOBvCdb31TXUNDrL6AdVHYgD NQX+9TINwesvvQQsZCdSn6tqagliqVj0XCXSfSvcbchmVpePar+bY2Fcc54BEuoF NqD2G4A1gmQ5dpkVEOH15j3BBCtlQvwZgrcs7t5HYOUDLzToCerCzB30vKr1Ltis tTA8jfClfhCzCNMHL8+njgDX8sYrqY36YeDG4BwaVXui+gqx2AEAyeXexNKbtwPK aJ7rkzpFEKZMFxNf/SoClNLMZ1y2uc/Q589p3opx9bLApV5n4akwCkQBcfKCG/L1 22bM8vw/uDwIhl3Ftmx1CTWMVaHZlwOZGBh5uOWEKIgLbaV4o8nY7E3eTHmlOVt7 yzg0mq1pxS4VqXnQjkTP4kaS2K8W3rWOSyk09KcrogFQjxEwXqn5xmTtsNN3qiLm cAv1cjDmlQmSEBFlvtq3zUby0ZOYbE2jrpulJAfzr0LCJtvU8b0Qg0MqwpyirQbT suVn3vKK330ReoGImx4yd5RV+2VdEyVvGpyLTMM2Q9Let1jrEYE=
    =Axk8
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)