You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
On 2021-12-24, a member of Trend Micro Zero Day Initiative ("ZDI") shared a vulnerability named ZDI-CAN-16157 in libexpat with me that has been discovered by an anonymous individual working with Trend Micro ZDI. I would like to thank both Trend Micro and the anonymous individual for their whitehat work on libexpat security. Thank you! 🙏
Similar to ticket #531, the issue is an integer overflow (in multiplication) near a call to realloc that takes a ~2 GiB size craft XML file, and then will cause denial of service or more. The issue exists since commit 347e19a and hence affects even the oldest (pre-)releases.
-- CVSS -----------------------------------------
8.1: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
[..]
Analysis
This is an integer overflow vulnerability that exists in expat library. The vulnerable function is doProlog
hartwork
changed the title
Reserved #532 (security issue upcoming)
Crafted XML file can cause integer overflow on m_groupSize in function doProlog
Jan 4, 2022
hartwork
changed the title
Crafted XML file can cause integer overflow on m_groupSize in function doProlog
[CVE-2021-46143] Crafted XML file can cause integer overflow on m_groupSize in function doProlog
Jan 6, 2022
Hi @ddillard, it's 8 CVEs in total, 3 pull request, all related to fixed size integer math near memory allocation. Current ETA for release 2.4.3 is Sunday January 16th, two days from now, see pull request #543 . If you like, you can watch the repository for releases (using the watch button near the top right of the page) and then every future Git tag will have GitHub send e-mail to you. Thanks for your interest in libexpat security.
On 2021-12-24, a member of Trend Micro Zero Day Initiative ("ZDI") shared a vulnerability named
ZDI-CAN-16157
in libexpat with me that has been discovered by an anonymous individual working with Trend Micro ZDI. I would like to thank both Trend Micro and the anonymous individual for their whitehat work on libexpat security. Thank you! 🙏Similar to ticket #531, the issue is an integer overflow (in multiplication) near a call to
realloc
that takes a ~2 GiB size craft XML file, and then will cause denial of service or more. The issue exists since commit 347e19a and hence affects even the oldest (pre-)releases.A pull request and likely a CVE are upcoming, and there will be a soon release 2.4.3.
Best, Sebastian
The text was updated successfully, but these errors were encountered: