Closed Bug 1797336 (CVE-2022-43680) Opened 3 years ago Closed 3 years ago

Evaluate expat CVE-2022-43680 fix

Categories

(Core :: XML, defect)

Product:
Core
Component:
XML
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
108 Branch
Tracking Flags:
Tracking Status
firefox-esr102 107+ fixed
firefox106 --- wontfix
firefox107 + fixed
firefox108 + fixed

People

(Reporter: ryanvm, Assigned: peterv)

Details

Attachments

(1 file)

Bug 1797336 - Apply expat CVE-2022-43680 fix. r?mccr8!
48 bytes, text/x-phabricator-request
dmeehan
: approval-mozilla-beta+
dmeehan
: approval-mozilla-esr102+
Details | Review

The new expat 2.5.0 release shipped today included a CVE fix:

#616 #649 #650 CVE-2022-43680 -- Fix heap use-after-free after overeager destruction of a shared DTD in function XML_ExternalEntityParserCreate in out-of-memory situations. Expected impact is denial of service or potentially arbitrary code execution.

https://github.com/libexpat/libexpat/pull/650/files

While RLBox sandboxing potentially mitigates the severity of this issue for our official releases, we should be cognizant of distros which ship with RLBox disabled where the severity may be higher when determining which course of action to take.

Flags: needinfo?(peterv)

I think we will need to patch.

Assignee: nobody → peterv
Status: NEW → ASSIGNED

https://hg.mozilla.org/mozilla-central/rev/17e2d3feebca

Status: ASSIGNED → RESOLVED
Closed: 3 years ago
status-firefox108: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 108 Branch

Please nominate this for Beta and ESR102 approval when you get a chance, Peter.

Comment on attachment 9300841 [details]
Bug 1797336 - Apply expat CVE-2022-43680 fix. r?mccr8!

Beta/Release Uplift Approval Request

  • User impact if declined: Security issue (UAF).
  • Is this code covered by automated tests?: No
  • Has the fix been verified in Nightly?: No
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Code only runs when running out of memory.
  • String changes made/needed:
  • Is Android affected?: Yes

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration: Fix for a security issue not marked as such (imported from upstream). We're probably not vulnerable because of RLBox, but some distros ship witout RLBox.
  • User impact if declined: Security issue (UAF).
  • Fix Landed on Version: 108
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Code only runs when running out of memory.
Flags: needinfo?(peterv)
Attachment #9300841 - Flags: approval-mozilla-esr102?
Attachment #9300841 - Flags: approval-mozilla-beta?

Comment on attachment 9300841 [details]
Bug 1797336 - Apply expat CVE-2022-43680 fix. r?mccr8!

Approved for 107.0b9

Attachment #9300841 - Flags: approval-mozilla-beta? → approval-mozilla-beta+

Comment on attachment 9300841 [details]
Bug 1797336 - Apply expat CVE-2022-43680 fix. r?mccr8!

Approved for 102.5esr.

Attachment #9300841 - Flags: approval-mozilla-esr102? → approval-mozilla-esr102+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: