expat-2.4.3-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:11762 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z expat-2.4.3-1.1 on GA media These are all security issues fixed in the expat-2.4.3-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-11762 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:11762 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2021-45960/ SUSE CVE CVE-2021-45960 page https://www.suse.com/security/cve/CVE-2021-46143/ SUSE CVE CVE-2021-46143 page https://www.suse.com/security/cve/CVE-2022-22822/ SUSE CVE CVE-2022-22822 page https://www.suse.com/security/cve/CVE-2022-22823/ SUSE CVE CVE-2022-22823 page https://www.suse.com/security/cve/CVE-2022-22824/ SUSE CVE CVE-2022-22824 page https://www.suse.com/security/cve/CVE-2022-22825/ SUSE CVE CVE-2022-22825 page https://www.suse.com/security/cve/CVE-2022-22826/ SUSE CVE CVE-2022-22826 page https://www.suse.com/security/cve/CVE-2022-22827/ SUSE CVE CVE-2022-22827 page openSUSE Tumbleweed expat-2.4.3-1.1 libexpat-devel-2.4.3-1.1 libexpat-devel-32bit-2.4.3-1.1 libexpat1-2.4.3-1.1 libexpat1-32bit-2.4.3-1.1 expat-2.4.3-1.1 as a component of openSUSE Tumbleweed libexpat-devel-2.4.3-1.1 as a component of openSUSE Tumbleweed libexpat-devel-32bit-2.4.3-1.1 as a component of openSUSE Tumbleweed libexpat1-2.4.3-1.1 as a component of openSUSE Tumbleweed libexpat1-32bit-2.4.3-1.1 as a component of openSUSE Tumbleweed In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or more) places in the storeAtts function in xmlparse.c can lead to realloc misbehavior (e.g., allocating too few bytes, or only freeing memory). CVE-2021-45960 openSUSE Tumbleweed:expat-2.4.3-1.1 openSUSE Tumbleweed:libexpat-devel-2.4.3-1.1 openSUSE Tumbleweed:libexpat-devel-32bit-2.4.3-1.1 openSUSE Tumbleweed:libexpat1-2.4.3-1.1 openSUSE Tumbleweed:libexpat1-32bit-2.4.3-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-45960.html CVE-2021-45960 https://bugzilla.suse.com/1194251 SUSE Bug 1194251 In doProlog in xmlparse.c in Expat (aka libexpat) before 2.4.3, an integer overflow exists for m_groupSize. CVE-2021-46143 openSUSE Tumbleweed:expat-2.4.3-1.1 openSUSE Tumbleweed:libexpat-devel-2.4.3-1.1 openSUSE Tumbleweed:libexpat-devel-32bit-2.4.3-1.1 openSUSE Tumbleweed:libexpat1-2.4.3-1.1 openSUSE Tumbleweed:libexpat1-32bit-2.4.3-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-46143.html CVE-2021-46143 https://bugzilla.suse.com/1194362 SUSE Bug 1194362 https://bugzilla.suse.com/1195327 SUSE Bug 1195327 https://bugzilla.suse.com/1196387 SUSE Bug 1196387 https://bugzilla.suse.com/1200038 SUSE Bug 1200038 https://bugzilla.suse.com/1200198 SUSE Bug 1200198 addBinding in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. CVE-2022-22822 openSUSE Tumbleweed:expat-2.4.3-1.1 openSUSE Tumbleweed:libexpat-devel-2.4.3-1.1 openSUSE Tumbleweed:libexpat-devel-32bit-2.4.3-1.1 openSUSE Tumbleweed:libexpat1-2.4.3-1.1 openSUSE Tumbleweed:libexpat1-32bit-2.4.3-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-22822.html CVE-2022-22822 https://bugzilla.suse.com/1194474 SUSE Bug 1194474 https://bugzilla.suse.com/1195327 SUSE Bug 1195327 https://bugzilla.suse.com/1200038 SUSE Bug 1200038 https://bugzilla.suse.com/1200198 SUSE Bug 1200198 build_model in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. CVE-2022-22823 openSUSE Tumbleweed:expat-2.4.3-1.1 openSUSE Tumbleweed:libexpat-devel-2.4.3-1.1 openSUSE Tumbleweed:libexpat-devel-32bit-2.4.3-1.1 openSUSE Tumbleweed:libexpat1-2.4.3-1.1 openSUSE Tumbleweed:libexpat1-32bit-2.4.3-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-22823.html CVE-2022-22823 https://bugzilla.suse.com/1194476 SUSE Bug 1194476 https://bugzilla.suse.com/1195327 SUSE Bug 1195327 https://bugzilla.suse.com/1200038 SUSE Bug 1200038 https://bugzilla.suse.com/1200198 SUSE Bug 1200198 defineAttribute in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. CVE-2022-22824 openSUSE Tumbleweed:expat-2.4.3-1.1 openSUSE Tumbleweed:libexpat-devel-2.4.3-1.1 openSUSE Tumbleweed:libexpat-devel-32bit-2.4.3-1.1 openSUSE Tumbleweed:libexpat1-2.4.3-1.1 openSUSE Tumbleweed:libexpat1-32bit-2.4.3-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-22824.html CVE-2022-22824 https://bugzilla.suse.com/1194477 SUSE Bug 1194477 https://bugzilla.suse.com/1195327 SUSE Bug 1195327 https://bugzilla.suse.com/1200038 SUSE Bug 1200038 https://bugzilla.suse.com/1200198 SUSE Bug 1200198 lookup in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. CVE-2022-22825 openSUSE Tumbleweed:expat-2.4.3-1.1 openSUSE Tumbleweed:libexpat-devel-2.4.3-1.1 openSUSE Tumbleweed:libexpat-devel-32bit-2.4.3-1.1 openSUSE Tumbleweed:libexpat1-2.4.3-1.1 openSUSE Tumbleweed:libexpat1-32bit-2.4.3-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-22825.html CVE-2022-22825 https://bugzilla.suse.com/1194478 SUSE Bug 1194478 https://bugzilla.suse.com/1195327 SUSE Bug 1195327 https://bugzilla.suse.com/1200038 SUSE Bug 1200038 https://bugzilla.suse.com/1200198 SUSE Bug 1200198 nextScaffoldPart in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. CVE-2022-22826 openSUSE Tumbleweed:expat-2.4.3-1.1 openSUSE Tumbleweed:libexpat-devel-2.4.3-1.1 openSUSE Tumbleweed:libexpat-devel-32bit-2.4.3-1.1 openSUSE Tumbleweed:libexpat1-2.4.3-1.1 openSUSE Tumbleweed:libexpat1-32bit-2.4.3-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-22826.html CVE-2022-22826 https://bugzilla.suse.com/1194479 SUSE Bug 1194479 https://bugzilla.suse.com/1195327 SUSE Bug 1195327 https://bugzilla.suse.com/1200038 SUSE Bug 1200038 https://bugzilla.suse.com/1200198 SUSE Bug 1200198 storeAtts in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. CVE-2022-22827 openSUSE Tumbleweed:expat-2.4.3-1.1 openSUSE Tumbleweed:libexpat-devel-2.4.3-1.1 openSUSE Tumbleweed:libexpat-devel-32bit-2.4.3-1.1 openSUSE Tumbleweed:libexpat1-2.4.3-1.1 openSUSE Tumbleweed:libexpat1-32bit-2.4.3-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-22827.html CVE-2022-22827 https://bugzilla.suse.com/1194480 SUSE Bug 1194480 https://bugzilla.suse.com/1195327 SUSE Bug 1195327 https://bugzilla.suse.com/1200038 SUSE Bug 1200038 https://bugzilla.suse.com/1200198 SUSE Bug 1200198