Red Hat Product Errata RHSA-2022:1069 - Security Advisory
Issued:
2022-03-28
Updated:
2022-03-28

RHSA-2022:1069 - Security Advisory

Synopsis

Important: expat security update

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for expat is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Expat is a C library for parsing XML documents.

Security Fix(es):

  • expat: Malformed 2- and 3-byte UTF-8 sequences can lead to arbitrary code execution (CVE-2022-25235)
  • expat: Namespace-separator characters in "xmlns[:prefix]" attribute values can lead to arbitrary code execution (CVE-2022-25236)
  • expat: Integer overflow in storeRawNames() (CVE-2022-25315)
  • expat: Large number of prefixed XML attributes on a single tag can crash libexpat (CVE-2021-45960)
  • expat: Integer overflow in doProlog in xmlparse.c (CVE-2021-46143)
  • expat: Integer overflow in addBinding in xmlparse.c (CVE-2022-22822)
  • expat: Integer overflow in build_model in xmlparse.c (CVE-2022-22823)
  • expat: Integer overflow in defineAttribute in xmlparse.c (CVE-2022-22824)
  • expat: Integer overflow in lookup in xmlparse.c (CVE-2022-22825)
  • expat: Integer overflow in nextScaffoldPart in xmlparse.c (CVE-2022-22826)
  • expat: Integer overflow in storeAtts in xmlparse.c (CVE-2022-22827)
  • expat: Integer overflow in function XML_GetBuffer (CVE-2022-23852)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the updated packages, applications using the Expat library must be restarted for the update to take effect.

Affected Products

  • Red Hat Enterprise Linux Server 7 x86_64
  • Red Hat Enterprise Linux Workstation 7 x86_64
  • Red Hat Enterprise Linux Desktop 7 x86_64
  • Red Hat Enterprise Linux for IBM z Systems 7 s390x
  • Red Hat Enterprise Linux for Power, big endian 7 ppc64
  • Red Hat Enterprise Linux for Scientific Computing 7 x86_64
  • Red Hat Enterprise Linux for Power, little endian 7 ppc64le

Fixes

  • BZ - 2044451 - CVE-2021-45960 expat: Large number of prefixed XML attributes on a single tag can crash libexpat
  • BZ - 2044455 - CVE-2021-46143 expat: Integer overflow in doProlog in xmlparse.c
  • BZ - 2044457 - CVE-2022-22822 expat: Integer overflow in addBinding in xmlparse.c
  • BZ - 2044464 - CVE-2022-22823 expat: Integer overflow in build_model in xmlparse.c
  • BZ - 2044467 - CVE-2022-22824 expat: Integer overflow in defineAttribute in xmlparse.c
  • BZ - 2044479 - CVE-2022-22825 expat: Integer overflow in lookup in xmlparse.c
  • BZ - 2044484 - CVE-2022-22826 expat: Integer overflow in nextScaffoldPart in xmlparse.c
  • BZ - 2044488 - CVE-2022-22827 expat: Integer overflow in storeAtts in xmlparse.c
  • BZ - 2044613 - CVE-2022-23852 expat: Integer overflow in function XML_GetBuffer
  • BZ - 2056363 - CVE-2022-25315 expat: Integer overflow in storeRawNames()
  • BZ - 2056366 - CVE-2022-25235 expat: Malformed 2- and 3-byte UTF-8 sequences can lead to arbitrary code execution
  • BZ - 2056370 - CVE-2022-25236 expat: Namespace-separator characters in "xmlns[:prefix]" attribute values can lead to arbitrary code execution

Red Hat Enterprise Linux Server 7

SRPM
expat-2.1.0-14.el7_9.src.rpm SHA-256: f9cd795091ff81f0b1dedbdd5aa6891b9cbcf276e76a8bfa8a41b159333bf6cf
x86_64
expat-2.1.0-14.el7_9.i686.rpm SHA-256: f37ba8d6c6ab51637a2d60d84a6c5e00b7534535869ceb82fc9fe4c3e8bb4628
expat-2.1.0-14.el7_9.x86_64.rpm SHA-256: fb1405de178b441ca9c745838b73a454d95cfaf50d8488715ecf4674141cc2e6
expat-debuginfo-2.1.0-14.el7_9.i686.rpm SHA-256: 00498eac88218752f10eb364f3e3b932a837a65842d4c2f2c8cc0030616b12bd
expat-debuginfo-2.1.0-14.el7_9.i686.rpm SHA-256: 00498eac88218752f10eb364f3e3b932a837a65842d4c2f2c8cc0030616b12bd
expat-debuginfo-2.1.0-14.el7_9.x86_64.rpm SHA-256: 06864b2f9275b2ce1f41cb43d20a80e180cab9cecefb6391b6eb80f6475101de
expat-debuginfo-2.1.0-14.el7_9.x86_64.rpm SHA-256: 06864b2f9275b2ce1f41cb43d20a80e180cab9cecefb6391b6eb80f6475101de
expat-devel-2.1.0-14.el7_9.i686.rpm SHA-256: 4f43bca2ee7aaebf81d909cda82ac6fcec30be87f5bed1094f6ee2847ac6ee38
expat-devel-2.1.0-14.el7_9.x86_64.rpm SHA-256: c7106208b766057c410aec173bd87c6b4b35247165d52777f8155e71163c67cf
expat-static-2.1.0-14.el7_9.i686.rpm SHA-256: 91453dbd5a4e607a830dc32327499a244d32326449843b1338dc4109e703f30f
expat-static-2.1.0-14.el7_9.x86_64.rpm SHA-256: e3a0cbfbb5a3b144b166cc67ff5e596434eafea368554fc2bbd83cabe693ff7f

Red Hat Enterprise Linux Workstation 7

SRPM
expat-2.1.0-14.el7_9.src.rpm SHA-256: f9cd795091ff81f0b1dedbdd5aa6891b9cbcf276e76a8bfa8a41b159333bf6cf
x86_64
expat-2.1.0-14.el7_9.i686.rpm SHA-256: f37ba8d6c6ab51637a2d60d84a6c5e00b7534535869ceb82fc9fe4c3e8bb4628
expat-2.1.0-14.el7_9.x86_64.rpm SHA-256: fb1405de178b441ca9c745838b73a454d95cfaf50d8488715ecf4674141cc2e6
expat-debuginfo-2.1.0-14.el7_9.i686.rpm SHA-256: 00498eac88218752f10eb364f3e3b932a837a65842d4c2f2c8cc0030616b12bd
expat-debuginfo-2.1.0-14.el7_9.i686.rpm SHA-256: 00498eac88218752f10eb364f3e3b932a837a65842d4c2f2c8cc0030616b12bd
expat-debuginfo-2.1.0-14.el7_9.x86_64.rpm SHA-256: 06864b2f9275b2ce1f41cb43d20a80e180cab9cecefb6391b6eb80f6475101de
expat-debuginfo-2.1.0-14.el7_9.x86_64.rpm SHA-256: 06864b2f9275b2ce1f41cb43d20a80e180cab9cecefb6391b6eb80f6475101de
expat-devel-2.1.0-14.el7_9.i686.rpm SHA-256: 4f43bca2ee7aaebf81d909cda82ac6fcec30be87f5bed1094f6ee2847ac6ee38
expat-devel-2.1.0-14.el7_9.x86_64.rpm SHA-256: c7106208b766057c410aec173bd87c6b4b35247165d52777f8155e71163c67cf
expat-static-2.1.0-14.el7_9.i686.rpm SHA-256: 91453dbd5a4e607a830dc32327499a244d32326449843b1338dc4109e703f30f
expat-static-2.1.0-14.el7_9.x86_64.rpm SHA-256: e3a0cbfbb5a3b144b166cc67ff5e596434eafea368554fc2bbd83cabe693ff7f

Red Hat Enterprise Linux Desktop 7

SRPM
expat-2.1.0-14.el7_9.src.rpm SHA-256: f9cd795091ff81f0b1dedbdd5aa6891b9cbcf276e76a8bfa8a41b159333bf6cf
x86_64
expat-2.1.0-14.el7_9.i686.rpm SHA-256: f37ba8d6c6ab51637a2d60d84a6c5e00b7534535869ceb82fc9fe4c3e8bb4628
expat-2.1.0-14.el7_9.x86_64.rpm SHA-256: fb1405de178b441ca9c745838b73a454d95cfaf50d8488715ecf4674141cc2e6
expat-debuginfo-2.1.0-14.el7_9.i686.rpm SHA-256: 00498eac88218752f10eb364f3e3b932a837a65842d4c2f2c8cc0030616b12bd
expat-debuginfo-2.1.0-14.el7_9.i686.rpm SHA-256: 00498eac88218752f10eb364f3e3b932a837a65842d4c2f2c8cc0030616b12bd
expat-debuginfo-2.1.0-14.el7_9.x86_64.rpm SHA-256: 06864b2f9275b2ce1f41cb43d20a80e180cab9cecefb6391b6eb80f6475101de
expat-debuginfo-2.1.0-14.el7_9.x86_64.rpm SHA-256: 06864b2f9275b2ce1f41cb43d20a80e180cab9cecefb6391b6eb80f6475101de
expat-devel-2.1.0-14.el7_9.i686.rpm SHA-256: 4f43bca2ee7aaebf81d909cda82ac6fcec30be87f5bed1094f6ee2847ac6ee38
expat-devel-2.1.0-14.el7_9.x86_64.rpm SHA-256: c7106208b766057c410aec173bd87c6b4b35247165d52777f8155e71163c67cf
expat-static-2.1.0-14.el7_9.i686.rpm SHA-256: 91453dbd5a4e607a830dc32327499a244d32326449843b1338dc4109e703f30f
expat-static-2.1.0-14.el7_9.x86_64.rpm SHA-256: e3a0cbfbb5a3b144b166cc67ff5e596434eafea368554fc2bbd83cabe693ff7f

Red Hat Enterprise Linux for IBM z Systems 7

SRPM
expat-2.1.0-14.el7_9.src.rpm SHA-256: f9cd795091ff81f0b1dedbdd5aa6891b9cbcf276e76a8bfa8a41b159333bf6cf
s390x
expat-2.1.0-14.el7_9.s390.rpm SHA-256: 98b13ae5905fee55bb481d4cdfe5ff3e681335bc8e8942c14e6c655481f6bccf
expat-2.1.0-14.el7_9.s390x.rpm SHA-256: f86d0a5175ae355c7be32b1a5821e6c18d857095b45c72e94fdbade1983e778f
expat-debuginfo-2.1.0-14.el7_9.s390.rpm SHA-256: 87fdba223f9bd45343aacff02d7c4dff6d85dcef0ac673e569222bb179618796
expat-debuginfo-2.1.0-14.el7_9.s390.rpm SHA-256: 87fdba223f9bd45343aacff02d7c4dff6d85dcef0ac673e569222bb179618796
expat-debuginfo-2.1.0-14.el7_9.s390x.rpm SHA-256: 533a7b5748be9bffd47a3c3058f521f6b63c43e39df40962f9179cc24eea235f
expat-debuginfo-2.1.0-14.el7_9.s390x.rpm SHA-256: 533a7b5748be9bffd47a3c3058f521f6b63c43e39df40962f9179cc24eea235f
expat-devel-2.1.0-14.el7_9.s390.rpm SHA-256: 1a45c480fd6b221a35c8c8a5d3a8048bc8ca9a8caf404ade93de461b3fa5d75b
expat-devel-2.1.0-14.el7_9.s390x.rpm SHA-256: 3c259d5c2fbbc0158d309d0f5412bf45ffb4484a117a78e93e58017f4be19720
expat-static-2.1.0-14.el7_9.s390.rpm SHA-256: 387bee8d82c29cbbe9677671c9f0a47772aee1376d0cd8222f467d04d86c869c
expat-static-2.1.0-14.el7_9.s390x.rpm SHA-256: 10fc3a79aec5fc8f63d7863e61d73cd5bd2ad43e0554503e485b92dcf89dee1c

Red Hat Enterprise Linux for Power, big endian 7

SRPM
expat-2.1.0-14.el7_9.src.rpm SHA-256: f9cd795091ff81f0b1dedbdd5aa6891b9cbcf276e76a8bfa8a41b159333bf6cf
ppc64
expat-2.1.0-14.el7_9.ppc.rpm SHA-256: fc7b10b12fc9e9e538c218d4fe517781f5505b115e0651582cc68bbbc9b98905
expat-2.1.0-14.el7_9.ppc64.rpm SHA-256: a5b22dbabc0b630eddd95a0446b689e3e473cba842dcca3ce228374debd1081d
expat-debuginfo-2.1.0-14.el7_9.ppc.rpm SHA-256: 9ce4ee55c56a8b5ff2d777eaf940be6d6dc2682ad7395543fc25e750c4b6b990
expat-debuginfo-2.1.0-14.el7_9.ppc.rpm SHA-256: 9ce4ee55c56a8b5ff2d777eaf940be6d6dc2682ad7395543fc25e750c4b6b990
expat-debuginfo-2.1.0-14.el7_9.ppc64.rpm SHA-256: 3adb166ecba37481452f1d6d3f47af19bf07861964252608ef3d2117d58f3292
expat-debuginfo-2.1.0-14.el7_9.ppc64.rpm SHA-256: 3adb166ecba37481452f1d6d3f47af19bf07861964252608ef3d2117d58f3292
expat-devel-2.1.0-14.el7_9.ppc.rpm SHA-256: 1f372510021f4aaa541c6bed122d370963f0b7fc12078741fbf073f903b10e4c
expat-devel-2.1.0-14.el7_9.ppc64.rpm SHA-256: 2ef3a86bbc68deb83c184511c8749974d29c5840818f617a688136891ace9394
expat-static-2.1.0-14.el7_9.ppc.rpm SHA-256: b1da0fac240103a20d4567f177e32cda93a0aabfcb4a6afce3b12bab34df05a6
expat-static-2.1.0-14.el7_9.ppc64.rpm SHA-256: aa9450480c5cca59ca30642fd177a3d3471a0ec1850d4d79c81a7ff86d958f49

Red Hat Enterprise Linux for Scientific Computing 7

SRPM
expat-2.1.0-14.el7_9.src.rpm SHA-256: f9cd795091ff81f0b1dedbdd5aa6891b9cbcf276e76a8bfa8a41b159333bf6cf
x86_64
expat-2.1.0-14.el7_9.i686.rpm SHA-256: f37ba8d6c6ab51637a2d60d84a6c5e00b7534535869ceb82fc9fe4c3e8bb4628
expat-2.1.0-14.el7_9.x86_64.rpm SHA-256: fb1405de178b441ca9c745838b73a454d95cfaf50d8488715ecf4674141cc2e6
expat-debuginfo-2.1.0-14.el7_9.i686.rpm SHA-256: 00498eac88218752f10eb364f3e3b932a837a65842d4c2f2c8cc0030616b12bd
expat-debuginfo-2.1.0-14.el7_9.i686.rpm SHA-256: 00498eac88218752f10eb364f3e3b932a837a65842d4c2f2c8cc0030616b12bd
expat-debuginfo-2.1.0-14.el7_9.x86_64.rpm SHA-256: 06864b2f9275b2ce1f41cb43d20a80e180cab9cecefb6391b6eb80f6475101de
expat-debuginfo-2.1.0-14.el7_9.x86_64.rpm SHA-256: 06864b2f9275b2ce1f41cb43d20a80e180cab9cecefb6391b6eb80f6475101de
expat-devel-2.1.0-14.el7_9.i686.rpm SHA-256: 4f43bca2ee7aaebf81d909cda82ac6fcec30be87f5bed1094f6ee2847ac6ee38
expat-devel-2.1.0-14.el7_9.x86_64.rpm SHA-256: c7106208b766057c410aec173bd87c6b4b35247165d52777f8155e71163c67cf
expat-static-2.1.0-14.el7_9.i686.rpm SHA-256: 91453dbd5a4e607a830dc32327499a244d32326449843b1338dc4109e703f30f
expat-static-2.1.0-14.el7_9.x86_64.rpm SHA-256: e3a0cbfbb5a3b144b166cc67ff5e596434eafea368554fc2bbd83cabe693ff7f

Red Hat Enterprise Linux for Power, little endian 7

SRPM
expat-2.1.0-14.el7_9.src.rpm SHA-256: f9cd795091ff81f0b1dedbdd5aa6891b9cbcf276e76a8bfa8a41b159333bf6cf
ppc64le
expat-2.1.0-14.el7_9.ppc64le.rpm SHA-256: 9b4dc11e475f7c65d16095b498dd4b146efdb9e9deda1c808c37aff07b9e6daf
expat-debuginfo-2.1.0-14.el7_9.ppc64le.rpm SHA-256: ea1bba9d8da25d3316182409006d4b8648242e02f6dea88bc12c39974f25db2f
expat-debuginfo-2.1.0-14.el7_9.ppc64le.rpm SHA-256: ea1bba9d8da25d3316182409006d4b8648242e02f6dea88bc12c39974f25db2f
expat-devel-2.1.0-14.el7_9.ppc64le.rpm SHA-256: 98f7cc1eb8a563ac31617c8c080549de415ecf2a530614e2ae87124343df2a12
expat-static-2.1.0-14.el7_9.ppc64le.rpm SHA-256: b5e4064d86d15f0a351438e0fee4190ca7f354a3214d2be3504bbf6804e62560

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.