On 2021-12-24, a member of Trend Micro Zero Day Initiative ("ZDI") shared a vulnerability named ZDI-CAN-16157 in libexpat with me that has been discovered by an anonymous individual working with Trend Micro ZDI. I would like to thank both Trend Micro and the anonymous individual for their whitehat work on libexpat security. Thank you! 🙏
Similar to ticket #531, the issue is an integer overflow (in multiplication) near a call to realloc that takes a ~2 GiB size craft XML file, and then will cause denial of service or more. The issue exists since commit 347e19a and hence affects even the oldest (pre-)releases.
-- CVSS -----------------------------------------
8.1: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
[..]
Analysis
This is an integer overflow vulnerability that exists in expat library. The vulnerable function is doProlog
hartwork
changed the title
Reserved #532 (security issue upcoming)
Crafted XML file can cause integer overflow on m_groupSize in function doProlog
Jan 4, 2022
hartwork
changed the title
Crafted XML file can cause integer overflow on m_groupSize in function doProlog
[CVE-2021-46143] Crafted XML file can cause integer overflow on m_groupSize in function doProlog
Jan 6, 2022
Hi @ddillard, it's 8 CVEs in total, 3 pull request, all related to fixed size integer math near memory allocation. Current ETA for release 2.4.3 is Sunday January 16th, two days from now, see pull request #543 . If you like, you can watch the repository for releases (using the watch button near the top right of the page) and then every future Git tag will have GitHub send e-mail to you. Thanks for your interest in libexpat security.
On 2021-12-24, a member of Trend Micro Zero Day Initiative ("ZDI") shared a vulnerability named🙏
ZDI-CAN-16157in libexpat with me that has been discovered by an anonymous individual working with Trend Micro ZDI. I would like to thank both Trend Micro and the anonymous individual for their whitehat work on libexpat security. Thank you!Similar to ticket #531, the issue is an integer overflow (in multiplication) near a call to
reallocthat takes a ~2 GiB size craft XML file, and then will cause denial of service or more. The issue exists since commit 347e19a and hence affects even the oldest (pre-)releases.A pull request and likely a CVE are upcoming, and there will be a soon release 2.4.3.
Best, Sebastian
The text was updated successfully, but these errors were encountered: