• FreeBSD Errata Notice FreeBSD-EN-25:05.expat

    From FreeBSD Errata Notices@21:1/5 to All on Thu Apr 10 17:00:08 2025
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA512

    ============================================================================= FreeBSD-EN-25:05.expat Errata Notice
    The FreeBSD Project

    Topic: Update expat to 2.7.1

    Category: contrib
    Module: libbsdxml
    Announced: 2025-04-10
    Affects: All supported versions of FreeBSD.
    Corrected: 2025-04-07 03:39:34 UTC (stable/14, 14.2-STABLE)
    2025-04-10 14:57:40 UTC (releng/14.2, 14.2-RELEASE-p3)
    2025-04-07 03:41:14 UTC (stable/13, 13.5-STABLE)
    2025-04-10 14:59:02 UTC (releng/13.5, 13.5-RELEASE-p1)
    2025-04-10 14:59:36 UTC (releng/13.4, 13.4-RELEASE-p5)
    CVE Name: CVE-2024-8176

    For general information regarding FreeBSD Errata Notices and Security Advisories, including descriptions of the fields above, security
    branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>.

    I. Background

    Expat is an XML parser library written in C. It is a stream-oriented
    parser in which an application registers handlers for things the parser
    might find in the XML document (like start tags).

    The FreeBSD base system ships libexpat as libbsdxml for components that
    need to parse XML data. Some of these applications use the XML parser
    on trusted data from the kernel, for instance the geom(8) configuration utilities, while other applications, like tar(1), cpio(1) and unbound-anchor(8), may use the XML parser on input from network or the
    user.

    II. Problem Description

    A stack overflow bug exists in the libexpat library due to the way it
    handles recursive entity expansion in XML documents. When parsing an
    XML document with deeply nested entity references, libexpat can be
    forced to recurse indefinitely, exhausting the stack space and causing a
    crash.

    III. Impact

    This stack overflow could cause e.g. tar(1) to crash. Owing to the
    limited number of ways libbsdxml is used in FreeBSD, the base system is
    not likely to be vulnerable to denial of service (DoS) or exploitable memory corruption.

    IV. Workaround

    No workaround is available, but the problem only manifests when the
    affected system needs to process data from an untrusted source.

    Because the library is used by many third party applications, we advise
    system administrators to check and make sure that they have the latest
    expat version as well, and restart all third party services, or reboot
    the system.

    V. Solution

    Upgrade your system to a supported FreeBSD stable or release / security
    branch (releng) dated after the correction date.

    Perform one of the following:

    1) To update your system via a binary patch:

    Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) utility:

    # freebsd-update fetch
    # freebsd-update install

    2) To update your system via a source code patch:

    The following patches have been verified to apply to the applicable
    FreeBSD release branches.

    a) Download the relevant patch from the location below, and verify the
    detached PGP signature using your PGP utility.

    [FreeBSD 13.4, 14.2]
    # fetch https://security.FreeBSD.org/patches/EN-25:05/expat-13.4-14.2.patch
    # fetch https://security.FreeBSD.org/patches/EN-25:05/expat-13.4-14.2.patch.asc # gpg --verify expat-13.4-14.2.patch.asc

    [FreeBSD 13.5]
    # fetch https://security.FreeBSD.org/patches/EN-25:05/expat-13.5.patch
    # fetch https://security.FreeBSD.org/patches/EN-25:05/expat-13.5.patch.asc
    # gpg --verify expat-13.5.patch.asc

    b) Apply the patch. Execute the following commands as root:

    # cd /usr/src
    # patch -E < /path/to/patch

    c) Recompile the operating system using buildworld and installworld as described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.

    The FreeBSD base system does not install daemons that use the library.
    A reboot is not required after updating the base system.

    VI. Correction details

    This issue is corrected as of the corresponding Git commit hash in the following stable and release branches:

    Branch/path Hash Revision
    - ------------------------------------------------------------------------- stable/14/ fd4592006b13 stable/14-n271000 releng/14.2/ 700e7384dfbf releng/14.2-n269520 stable/13/ 5630672e6f6d stable/13-n259244 releng/13.5/ dec0bf8096b3 releng/13.5-n259164 releng/13.4/ e3fd2734314d releng/13.4-n258281
    - -------------------------------------------------------------------------

    Run the following command to see which files were modified by a
    particular commit:

    # git show --stat <commit hash>

    Or visit the following URL, replacing NNNNNN with the hash:

    <URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>

    To determine the commit count in a working tree (for comparison against
    nNNNNNN in the table above), run:

    # git rev-list --count --first-parent HEAD

    VII. References

    <URL:https://github.com/libexpat/libexpat/issues/893> <URL:https://github.com/libexpat/libexpat/issues/973>

    The latest revision of this advisory is available at <URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-25:05.expat.asc> -----BEGIN PGP SIGNATURE-----

    iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmf38DUACgkQbljekB8A Gu8jQA/6AtsNwonBza6fjbkQaDeGbyEn2agOvkZ8R0tF+QKnYLVt63O52r9VmTeG s5/yLjcXKqo4Bnk9x3+BiDzA6x2LQrma8QRuvz+eLrRyGK2Ux0L5py0lNb9CqTsc /jS+5dU18nOA4v9P+UMj6NWXAxlgJ3LVVGgSLZxjXLkyZHzzUnQHiQnY4DeWzAh6 tTY/EeNjVd3LPIDmpomHSsrt+ayD13+SNdADNWY3mColCS4ew8duiOIoACpj8J99 LI6hfUjninjmkPbgUmRnX5akh35uxcOhANFuyHlr5GMsh/h76BJ1FT64oZtBwWTQ Zy/hF6fBOb42NJMUuIu7yNEgYg2Yb8fgb0+zfFtBih5U/KBGD/yD3mst3lAAVPZS Q25e3U9zbyVyykZg5RdKVWy1PSI2FG7uNb+f1Jz8xPPgcCF9edjJLHD2lcTZVprR bJPeFXf5MJjgzSafLxon4jA/6rnoqUaML1Cbi6DIVhC4hgsBCzMzcTedo7gjP6Ab 6c6msxXLha0Q7eBUH10uoh+I91AMERBJZpEEaX8PN9GtRZi+lvn04GW2UbjRnBpY eKL/9RGeW8WRMwwututtzSbFLk8iSzcOto2iVClkkybOQAau78kTpnMhGyRav/UQ zezIRE2X/Ob34wZK3WxQRGuIVx40Ci0ZNly2w6wRTmak9twgP6U=
    =9pZP
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)