Evaluate expat CVE-2022-40674 fix
Categories
(Core :: XML, defect)
Tracking
()
People
(Reporter: RyanVM, Assigned: peterv)
References
Details
(Keywords: sec-moderate, Whiteboard: [adv-main107+])
Attachments
(2 files)
The new expat 2.4.9 release shipped today included a CVE fix:
#629 #640 CVE-2022-40674 -- Heap use-after-free vulnerability in function doContent. Expected impact is denial of service or potentially arbitrary code execution.
https://github.com/libexpat/libexpat/pull/629/commits/4a32da87e931ba54393d465bb77c40b5c33d343b
While our RLBox sandboxing likely mitigates the severity of this issue, we still might want to consider cherry-picking the fix to our import for safety's sake.
|
Assignee | |
Updated•3 years ago
|
|
||
Comment 2•3 years ago
|
||
[Tracking Requested - why for this release]: From a background conversation with Tom -- RLBoxing makes this less severe, but we should get this fixed and uplifted
|
||
Updated•3 years ago
|
|
|
||
Comment 4•3 years ago
|
||
The 2.4.9-based patch linked in comment 0 doesn't apply cleanly because of some object restructuring, though it totally applies functionally. Debian is maintaining a 2.2.10-based fork so their version of the patch might be easier to use.
|
Reporter | |
Updated•3 years ago
|
|
|
Assignee | |
Comment 6•3 years ago
|
||
|
||
Updated•3 years ago
|
|
||
Comment 8•3 years ago
|
||
Peter, are you going to request an uplift to release and esr branches?
|
||
Comment 9•3 years ago
|
||
| bugherder | ||
|
|
Reporter | |
Updated•3 years ago
|
|
|
Assignee | |
Comment 10•3 years ago
|
||
I spent some time writing a testcase for this (which was a bit tricky, have to block the parser at the right time and pause sending data to force a boundary in the buffer in the right spot). It turns out that we ran into this issue while fixing some crashes and intermittent failures after landing RLBox, and bholley landed a similar fix (bug 1746996). I had vaguely assumed that the failure was specific to our copy of Expat, but apparently not :-/. So we don't need to port this to branches that already have the fix for bug 1746996 (which landed in 96).
|
|
Reporter | |
Updated•3 years ago
|
|
||
Comment 11•3 years ago
|
||
Hi Ryan,
I might have a silly question: Why not backporting this to ESR102? Does it mean that the CVE-2022-40674 was already fixed by https://bugzilla.mozilla.org/show_bug.cgi?id=1746996 as mentioned by :peterv? So, in this case, I would expect no change needed also in FF107 or that the fix lands in both FF107 and ESR102.5, right?
Sorry for the confusion, but I would like to understand the severity of this fix and if it is okay to still use ESR102 or wait until ESR115 to use it again.
|
|
Reporter | |
Comment 12•3 years ago
|
||
That was my understanding of comment 10, yes. We effectively fixed this bug already in 96.
|
|
Reporter | |
Comment 13•3 years ago
|
||
That said, Peter, can you confirm that comment 10 applies in the non-RLBox scenario (as I understand it, some distros don't have it enabled in their builds)?
|
|
Assignee | |
Comment 14•3 years ago
|
||
(In reply to Ryan VanderMeulen [:RyanVM] from comment #13)
That said, Peter, can you confirm that comment 10 applies in the non-RLBox scenario (as I understand it, some distros don't have it enabled in their builds)?
Yes.
|
|
Reporter | |
Updated•3 years ago
|
|
||
Updated•3 years ago
|
|
|
||
Comment 15•3 years ago
|
||
|
|
||
Updated•3 years ago
|
Description
•