UbuntuUpdates.org

Package "libexpat1-dev"

Name: libexpat1-dev

Description:

XML parsing C library - development kit

Latest version: 2.2.9-1ubuntu0.8
Release: focal (20.04)
Level: updates
Repository: main
Head package: expat
Homepage: https://libexpat.github.io/

Links


Download "libexpat1-dev"


Other versions of "libexpat1-dev" in Focal

Repository Area Version
base main 2.2.9-1build1
security main 2.2.9-1ubuntu0.8

Changelog

Version: 2.2.9-1ubuntu0.2 2022-02-21 16:06:29 UTC

  expat (2.2.9-1ubuntu0.2) focal-security; urgency=medium

  * SECURITY UPDATE: Realloc misbehavior
    - debian/patches/CVE-2021-45960.patch: detect and prevent troublesome
      left shifts in function storeAtts in expat/lib/xmlparse.c.
    - CVE-2021-45960
  * SECURITY UPDATE: Integer overflow
    - debian/patches/CVE-2021-46143.patch: prevent integer overflow
      on m_groupSize in function doProlog in expat/lib/xmlparse.c.
    - CVE-2021-46143
  * SECURITY UPDATE: Integer overflow
    - debian/patches/CVE-2022-22822-to-CVE-2022-22827.patch: prevent integer overflow
      in multiple places in expat/lib/xmlparse.c.
    - CVE-2022-22822
    - CVE-2022-22823
    - CVE-2022-22824
    - CVE-2022-22825
    - CVE-2022-22826
    - CVE-2022-22827
  * SECURITY UPDATE: Signed integer overflow
    - debian/patches/CVE-2022-23852-*.patch: detect and prevent
      integer overflow in XML_GetBuffer in expat/lib/xmlparse.c and
      adds test to cover it in expat/tests/runtests.c.
    - CVE-2022-23852
  * SECURITY UPDATE: Integer overflow
    - debian/patches/CVE-2022-23990.patch: prevent integer overflow in
      doProlog in expat/lib/xmlparse.c.
    - CVE-2022-23990
  * SECURITY UPDATE: Incomplete validation encoding
    - debian/patches/CVE-2022-25235-*.patch: adds missing validation
      and adds tests in expat/lib/xmltok_impl.c, expat/tests/runtests.c.
    - CVE-2022-25235
  * SECURITY UPDATE: Namespace-separator insertions
    - debian/patches/CVE-2022-25236-*.patch: Protect against malicious
      namespace declarations in expat/lib/xmlparse.c, expat/tests/runtests.c.
    - CVE-2022-25236

 -- Leonidas Da Silva Barbosa <email address hidden> Thu, 17 Feb 2022 20:09:12 -0300

CVE-2021-45960 In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or more) places in the storeAtts function in xmlparse.c can lead to realloc misbehavior (e.
CVE-2021-46143 In doProlog in xmlparse.c in Expat (aka libexpat) before 2.4.3, an integer overflow exists for m_groupSize.
CVE-2022-22822 addBinding in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
CVE-2022-22827 storeAtts in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
CVE-2022-22823 build_model in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
CVE-2022-22824 defineAttribute in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
CVE-2022-22825 lookup in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
CVE-2022-22826 nextScaffoldPart in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
CVE-2022-23852 Expat (aka libexpat) before 2.4.4 has a signed integer overflow in XML_GetBuffer, for configurations with a nonzero XML_CONTEXT_BYTES.
CVE-2022-23990 Expat (aka libexpat) before 2.4.4 has an integer overflow in the doProlog function.
CVE-2022-25235 xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of encoding, such as checks for whether a UTF-8 character is valid in a c
CVE-2022-25236 xmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to insert namespace-separator characters into namespace URIs.



About   -   Send Feedback to @ubuntu_updates