Critical vulnerabilities reported and fixed in Expat XML parsing C library

The Expat XML parsing C library has been found to contain three critical security vulnerabilities, all of which could lead to denial-of-service (DoS) attacks or arbitrary code execution. Discovered by security researcher Shang-Hung Wan, these vulnerabilities affect versions of libexpat before 2.6.3.

Vulnerabilities Summary

• CVE-2024-45490 (CVSS score 9.8) -  This vulnerability arises due to a flaw in xmlparse.c where the XML_ParseBuffer function failed to reject negative input lengths. This oversight allows attackers to submit malicious inputs, which can cause the Expat library to behave unpredictably, potentially leading to DoS or arbitrary code execution.
• CVE-2024-45491 (CVSS score 9.8) - An integer overflow issue was identified in the dtdCopy function, particularly affecting 32-bit platforms in libexpat versions prior to 2.6.3. The vulnerability can cause buffer overflows, leading to a DoS or the possibility of arbitrary code execution by exploiting the system's memory constraints.
• CVE-2024-45492 (CVSS 9.8) - Similar to CVE-2024-45491, this flaw stems from an integer overflow in the nextScaffoldPart function in xmlparse.c, also affecting 32-bit platforms. Attackers can leverage this to cause a system crash or execute arbitrary code.

Users of the Expat library are strongly urged to update to version 2.6.3 or later to patch these critical vulnerabilities. Various Linux distributions have responded with security patches:

• Canonical has released patches for the following supported versions:

  • Ubuntu 24.04 LTS
  • Ubuntu 20.04 LTS
  • Ubuntu 18.04 ESM (Extended Security Maintenance)
  • Ubuntu 16.04 ESM
  • Ubuntu 14.04 ESM

• Debian users running version 12 (Bookworm) should upgrade to Expat version 2.5.0-1+deb12u1 or later to protect against these vulnerabilities.