Expat 2.4.5 released, includes 5 security fixes

[Alan Coopersmith <alan.coopersmith () oracle com>]

From https://blog.hartwork.org/posts/expat-2-4-5-released/ :

> Expat 2.4.5 released, includes security fixes
> 2022-02-19 01:23
>
> libexpat is a fast streaming XML parser. Alongside libxml2, Expat is one of the most widely used software libre XML 
> parsers written in C, precisely C99. It is cross-platform and licensed under the MIT license.
>
> Expat 2.4.5 has been released a few hours ago. This release is about security fixes. There are 5 CVEs involved:
>
>     CVE-2022-25235
>     CVE-2022-25236
>     CVE-2022-25313
>     CVE-2022-25314
>     CVE-2022-25315
>
> Regarding impact of vulnerabilities, please note that looking at a vulnerability in isolation may miss part of the picture; 
> e.g. if Expat passes malformed data to the application using Expat and that application isn't prepared for Expat 
> violating their agreed API contract, you may end up with code execution from something that looked close to harmless, in 
> isolation.
>
> For more details, please check out the change log.
>
> If you maintain Expat packaging or a bundled copy of Expat or a pinned version of Expat somewhere, please update to 
> 2.4.5. Thank you!
>
> Sebastian Pipping


From https://github.com/libexpat/libexpat/blob/R_2_4_5/expat/Changes :

> Release 2.4.5 Fri February 18 2022
>         Security fixes:
>             #562  CVE-2022-25235 -- Passing malformed 2- and 3-byte UTF-8
>                     sequences (e.g. from start tag names) to the XML
>                     processing application on top of Expat can cause
>                     arbitrary damage (e.g. code execution) depending
>                     on how invalid UTF-8 is handled inside the XML
>                     processor; validation was not their job but Expat's.
>                     Exploits with code execution are known to exist.
>             #561  CVE-2022-25236 -- Passing (one or more) namespace separator
>                     characters in "xmlns[:prefix]" attribute values
>                     made Expat send malformed tag names to the XML
>                     processor on top of Expat which can cause
>                     arbitrary damage (e.g. code execution) depending
>                     on such unexpectable cases are handled inside the XML
>                     processor; validation was not their job but Expat's.
>                     Exploits with code execution are known to exist.
>             #558  CVE-2022-25313 -- Fix stack exhaustion in doctype parsing
>                     that could be triggered by e.g. a 2 megabytes
>                     file with a large number of opening braces.
>                     Expected impact is denial of service or potentially
>                     arbitrary code execution.
>             #560  CVE-2022-25314 -- Fix integer overflow in function copyString;
>                     only affects the encoding name parameter at parser creation
>                     time which is often hardcoded (rather than user input),
>                     takes a value in the gigabytes to trigger, and a 64-bit
>                     machine.  Expected impact is denial of service.
>             #559  CVE-2022-25315 -- Fix integer overflow in function storeRawNames;
>                     needs input in the gigabytes and a 64-bit machine.
>                     Expected impact is denial of service or potentially
>                     arbitrary code execution.
>
>         Other changes:
>        #557 #564  Version info bumped from 9:4:8 to 9:5:8;
>                     see https://verbump.de/ for what these numbers do
>
>         Special thanks to:
>             Ivan Fratric
>             Samanta Navarro
>                  and
>             Google Project Zero
>             JetBrains

[Versions 2.4.3 & 2.4.4 fixed a number of CVE's as well if people missed those.]

--
        -Alan Coopersmith-                 alan.coopersmith () oracle com
         Oracle Solaris Engineering - https://blogs.oracle.com/solaris