Expat library patched against code execution vulnerabilities

The popular XML parser library Expat (libexpat) has been patched against five vulnerabilities.

The library features in open source software like Apache, Mozilla, Perl, PHP and Python, along with most Linux distributions.

The vulnerabilities expose XML processors on top of expat to at least two exploit vectors: arbitrary code execution, or denial-of-service.

As developer Sebastian Pipping wrote: “Please note that looking at a vulnerability in isolation may miss part of the picture … if Expat passes malformed data to the application using Expat and that application isn't prepared for Expat violating their agreed API contract, you may end up with code execution from something that looked close to harmless, in isolation.”

The bugs are fixed in release 2.4.5.

Code execution exploits are known for two of the bugs:

• In CVE-2022-25235, an attacker can get Expat to pass malformed 2- and 3-byte UTF-8 sequences up to the XML processor.
• In CVE-2022-25236, “passing (one or more) namespace separator characters in "xmlns[:prefix]" attribute values made Expat send malformed tag names to the XML processor on top of Expat”.

CVE-2022-25313 is a stack exhaustion in Expat’s doctype parsing, while CVE-2022-25314 is an integer overflow in the copyString function. Both of these could crash the application on top of Expat.

Finally, CVE-2022-25315 is an integer overflow in the storeRawNames function, only attackable on 64-bit machines using gigabyte-size inputs. An exploit is demonstrated here.