Security update for expat SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:20207-1 Final 1 1 2025-04-29T11:07:45Z current 2025-04-29T11:07:45Z 2025-04-29T11:07:45Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for expat This update for expat fixes the following issues: Version update to 2.7.1: * Bug fixes: * Restore event pointer behavior from Expat 2.6.4 (that the fix to CVE-2024-8176 changed in 2.7.0); affected API functions are: - XML_GetCurrentByteCount - XML_GetCurrentByteIndex - XML_GetCurrentColumnNumber - XML_GetCurrentLineNumber - XML_GetInputContext * Other changes: #976 #977 Autotools: Integrate files "fuzz/xml_lpm_fuzzer.{cpp,proto}" with Automake that were missing from 2.7.0 release tarballs #983 #984 Fix printf format specifiers for 32bit Emscripten #992 docs: Promote OpenSSF Best Practices self-certification #978 tests/benchmark: Resolve mistaken double close #986 Address compiler warnings #990 #993 Version info bumped from 11:1:10 (libexpat*.so.1.10.1) to 11:2:10 (libexpat*.so.1.10.2); see https://verbump.de/ for what these numbers do Infrastructure: #982 CI: Start running Perl XML::Parser integration tests #987 CI: Enforce Clang Static Analyzer clean code #991 CI: Re-enable warning clang-analyzer-valist.Uninitialized for clang-tidy #981 CI: Cover compilation with musl #983 #984 CI: Cover compilation with 32bit Emscripten #976 #977 CI: Protect against fuzzer files missing from future release archives Version update to 2.7.0 (CVE-2024-8176 [bsc#1239618]) * Security fixes: * CVE-2024-8176 -- Fix crash from chaining a large number of entities caused by stack overflow by resolving use of recursion, for all three uses of entities: - general entities in character data ("<e>&g1;</e>") - general entities in attribute values ("<e k1='&g1;'/>") - parameter entities ("%p1;") Known impact is (reliable and easy) denial of service: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C (Base Score: 7.5, Temporal Score: 7.2) Please note that a layer of compression around XML can significantly reduce the minimum attack payload size. * Other changes: * Document changes since the previous release * Version info bumped from 11:0:10 (libexpat*.so.1.10.0) to 11:1:10 (libexpat*.so.1.10.1); see https://verbump.de/ for what these numbers do Version update to 2.6.4: * Security fixes: [bsc#1232601][bsc#1232579] * CVE-2024-50602 -- Fix crash within function XML_ResumeParser from a NULL pointer dereference by disallowing function XML_StopParser to (stop or) suspend an unstarted parser. A new error code XML_ERROR_NOT_STARTED was introduced to properly communicate this situation. // CWE-476 CWE-754 * Other changes: * Version info bumped from 10:3:9 (libexpat*.so.1.9.3) to 11:0:10 (libexpat*.so.1.10.0); see https://verbump.de/ for what these numbers do Update to 2.6.3: * Security fixes: - CVE-2024-45490, bsc#1229930 -- Calling function XML_ParseBuffer with len < 0 without noticing and then calling XML_GetBuffer will have XML_ParseBuffer fail to recognize the problem and XML_GetBuffer corrupt memory. With the fix, XML_ParseBuffer now complains with error XML_ERROR_INVALID_ARGUMENT just like sibling XML_Parse has been doing since Expat 2.2.1, and now documented. Impact is denial of service to potentially artitrary code execution. - CVE-2024-45491, bsc#1229931 -- Internal function dtdCopy can have an integer overflow for nDefaultAtts on 32-bit platforms (where UINT_MAX equals SIZE_MAX). Impact is denial of service to potentially artitrary code execution. - CVE-2024-45492, bsc#1229932 -- Internal function nextScaffoldPart can have an integer overflow for m_groupSize on 32-bit platforms (where UINT_MAX equals SIZE_MAX). Impact is denial of service to potentially artitrary code execution. * Other changes: - Version info bumped from 10:2:9 (libexpat*.so.1.9.2) to 10:3:9 (libexpat*.so.1.9.3); see https://verbump.de/ for what these numbers do Update to 2.6.2: * CVE-2024-28757 -- Prevent billion laughs attacks with isolated use of external parsers (bsc#1221289) * Reject direct parameter entity recursion and avoid the related undefined behavior Update to 2.6.1: * Expose billion laughs API with XML_DTD defined and XML_GE undefined, regression from 2.6.0 * Make tests independent of CPU speed, and thus more robust Update to 2.6.0: * Security fixes: - CVE-2023-52425 (bsc#1219559) Fix quadratic runtime issues with big tokens that can cause denial of service, in partial where dealing with compressed XML input. Applications that parsed a document in one go -- a single call to functions XML_Parse or XML_ParseBuffer -- were not affected. The smaller the chunks/buffers you use for parsing previously, the bigger the problem prior to the fix. Backporters should be careful to no omit parts of pull request #789 and to include earlier pull request #771, in order to not break the fix. - CVE-2023-52426 (bsc#1219561) Fix billion laughs attacks for users compiling *without* XML_DTD defined (which is not common). Users with XML_DTD defined have been protected since Expat >=2.4.0 (and that was CVE-2013-0340 back then). * Bug fixes: - Fix parse-size-dependent "invalid token" error for external entities that start with a byte order mark - Fix NULL pointer dereference in setContext via XML_ExternalEntityParserCreate for compilation with XML_DTD undefined - Protect against closing entities out of order * Other changes: - Improve support for arc4random/arc4random_buf - Improve buffer growth in XML_GetBuffer and XML_Parse - xmlwf: Support --help and --version - xmlwf: Support custom buffer size for XML_GetBuffer and read - xmlwf: Improve language and URL clickability in help output - examples: Add new example "element_declarations.c" - Be stricter about macro XML_CONTEXT_BYTES at build time - Make inclusion to expat_config.h consistent - Autotools: configure.ac: Support --disable-maintainer-mode - Autotools: Sync CMake templates with CMake 3.26 - Autotools: Make installation of shipped man page doc/xmlwf.1 independent of docbook2man availability - Autotools|CMake: Add missing -DXML_STATIC to pkg-config file section "Cflags.private" in order to fix compilation against static libexpat using pkg-config on Windows - Autotools|CMake: Require a C99 compiler (a de-facto requirement already since Expat 2.2.2 of 2017) - Autotools|CMake: Fix PACKAGE_BUGREPORT variable - Autotools|CMake: Make test suite require a C++11 compiler - CMake: Require CMake >=3.5.0 - CMake: Lowercase off_t and size_t to help a bug in Meson - CMake: Sort xmlwf sources alphabetically - CMake|Windows: Fix generation of DLL file version info - CMake: Build tests/benchmark/benchmark.c as well for a build with -DEXPAT_BUILD_TESTS=ON - docs: Document the importance of isFinal + adjust tests accordingly - docs: Improve use of "NULL" and "null" - docs: Be specific about version of XML (XML 1.0r4) and version of C (C99); (XML 1.0r5 will need a sponsor.) - docs: reference.html: Promote function XML_ParseBuffer more - docs: reference.html: Add HTML anchors to XML_* macros - docs: reference.html: Upgrade to OK.css 1.2.0 - docs: Fix typos - docs|CI: Use HTTPS URLs instead of HTTP at various places - Address compiler warnings - Address clang-tidy warnings - Version info bumped from 9:10:8 (libexpat*.so.1.8.10) to 10:0:9 (libexpat*.so.1.9.0); see https://verbump.de/ for what these numbers do The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SLE-Micro-6.0-304 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-202520207-1/ Link for SUSE-SU-2025:20207-1 https://lists.suse.com/pipermail/sle-security-updates/2025-June/021128.html E-Mail link for SUSE-SU-2025:20207-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1219559 SUSE Bug 1219559 https://bugzilla.suse.com/1219561 SUSE Bug 1219561 https://bugzilla.suse.com/1221289 SUSE Bug 1221289 https://bugzilla.suse.com/1229930 SUSE Bug 1229930 https://bugzilla.suse.com/1229931 SUSE Bug 1229931 https://bugzilla.suse.com/1229932 SUSE Bug 1229932 https://bugzilla.suse.com/1232579 SUSE Bug 1232579 https://bugzilla.suse.com/1232601 SUSE Bug 1232601 https://bugzilla.suse.com/1239618 SUSE Bug 1239618 https://www.suse.com/security/cve/CVE-2013-0340/ SUSE CVE CVE-2013-0340 page https://www.suse.com/security/cve/CVE-2019-15903/ SUSE CVE CVE-2019-15903 page https://www.suse.com/security/cve/CVE-2023-52425/ SUSE CVE CVE-2023-52425 page https://www.suse.com/security/cve/CVE-2023-52426/ SUSE CVE CVE-2023-52426 page https://www.suse.com/security/cve/CVE-2024-28757/ SUSE CVE CVE-2024-28757 page https://www.suse.com/security/cve/CVE-2024-45490/ SUSE CVE CVE-2024-45490 page https://www.suse.com/security/cve/CVE-2024-45491/ SUSE CVE CVE-2024-45491 page https://www.suse.com/security/cve/CVE-2024-45492/ SUSE CVE CVE-2024-45492 page https://www.suse.com/security/cve/CVE-2024-50602/ SUSE CVE CVE-2024-50602 page https://www.suse.com/security/cve/CVE-2024-8176/ SUSE CVE CVE-2024-8176 page SUSE Linux Micro 6.0 libexpat1-2.7.1-1.1 libexpat1-2.7.1-1.1 as a component of SUSE Linux Micro 6.0 expat 2.1.0 and earlier does not properly handle entities expansion unless an application developer uses the XML_SetEntityDeclHandler function, which allows remote attackers to cause a denial of service (resource consumption), send HTTP requests to intranet servers, or read arbitrary files via a crafted XML document, aka an XML External Entity (XXE) issue. NOTE: it could be argued that because expat already provides the ability to disable external entity expansion, the responsibility for resolving this issue lies with application developers; according to this argument, this entry should be REJECTed, and each affected application would need its own CVE. CVE-2013-0340 SUSE Linux Micro 6.0:libexpat1-2.7.1-1.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520207-1/ https://www.suse.com/security/cve/CVE-2013-0340.html CVE-2013-0340 https://bugzilla.suse.com/805236 SUSE Bug 805236 In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early; a consecutive call to XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber) then resulted in a heap-based buffer over-read. CVE-2019-15903 SUSE Linux Micro 6.0:libexpat1-2.7.1-1.1 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520207-1/ https://www.suse.com/security/cve/CVE-2019-15903.html CVE-2019-15903 https://bugzilla.suse.com/1149429 SUSE Bug 1149429 https://bugzilla.suse.com/1154738 SUSE Bug 1154738 https://bugzilla.suse.com/1154806 SUSE Bug 1154806 libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed. CVE-2023-52425 SUSE Linux Micro 6.0:libexpat1-2.7.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520207-1/ https://www.suse.com/security/cve/CVE-2023-52425.html CVE-2023-52425 https://bugzilla.suse.com/1219559 SUSE Bug 1219559 libexpat through 2.5.0 allows recursive XML Entity Expansion if XML_DTD is undefined at compile time. CVE-2023-52426 SUSE Linux Micro 6.0:libexpat1-2.7.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520207-1/ https://www.suse.com/security/cve/CVE-2023-52426.html CVE-2023-52426 https://bugzilla.suse.com/1219561 SUSE Bug 1219561 libexpat through 2.6.1 allows an XML Entity Expansion attack when there is isolated use of external parsers (created via XML_ExternalEntityParserCreate). CVE-2024-28757 SUSE Linux Micro 6.0:libexpat1-2.7.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520207-1/ https://www.suse.com/security/cve/CVE-2024-28757.html CVE-2024-28757 https://bugzilla.suse.com/1221289 SUSE Bug 1221289 An issue was discovered in libexpat before 2.6.3. xmlparse.c does not reject a negative length for XML_ParseBuffer. CVE-2024-45490 SUSE Linux Micro 6.0:libexpat1-2.7.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520207-1/ https://www.suse.com/security/cve/CVE-2024-45490.html CVE-2024-45490 https://bugzilla.suse.com/1229930 SUSE Bug 1229930 An issue was discovered in libexpat before 2.6.3. dtdCopy in xmlparse.c can have an integer overflow for nDefaultAtts on 32-bit platforms (where UINT_MAX equals SIZE_MAX). CVE-2024-45491 SUSE Linux Micro 6.0:libexpat1-2.7.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520207-1/ https://www.suse.com/security/cve/CVE-2024-45491.html CVE-2024-45491 https://bugzilla.suse.com/1229930 SUSE Bug 1229930 https://bugzilla.suse.com/1229931 SUSE Bug 1229931 An issue was discovered in libexpat before 2.6.3. nextScaffoldPart in xmlparse.c can have an integer overflow for m_groupSize on 32-bit platforms (where UINT_MAX equals SIZE_MAX). CVE-2024-45492 SUSE Linux Micro 6.0:libexpat1-2.7.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520207-1/ https://www.suse.com/security/cve/CVE-2024-45492.html CVE-2024-45492 https://bugzilla.suse.com/1229930 SUSE Bug 1229930 https://bugzilla.suse.com/1229932 SUSE Bug 1229932 An issue was discovered in libexpat before 2.6.4. There is a crash within the XML_ResumeParser function because XML_StopParser can stop/suspend an unstarted parser. CVE-2024-50602 SUSE Linux Micro 6.0:libexpat1-2.7.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520207-1/ https://www.suse.com/security/cve/CVE-2024-50602.html CVE-2024-50602 https://bugzilla.suse.com/1232579 SUSE Bug 1232579 A stack overflow vulnerability exists in the libexpat library due to the way it handles recursive entity expansion in XML documents. When parsing an XML document with deeply nested entity references, libexpat can be forced to recurse indefinitely, exhausting the stack space and causing a crash. This issue could lead to denial of service (DoS) or, in some cases, exploitable memory corruption, depending on the environment and library usage. CVE-2024-8176 SUSE Linux Micro 6.0:libexpat1-2.7.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520207-1/ https://www.suse.com/security/cve/CVE-2024-8176.html CVE-2024-8176 https://bugzilla.suse.com/1239618 SUSE Bug 1239618