-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

============================================================================= FreeBSD-EN-25:05.expat Errata Notice
The FreeBSD Project

Topic: Update expat to 2.7.1

Category: contrib
Module: libbsdxml
Announced: 2025-04-10
Affects: All supported versions of FreeBSD.
Corrected: 2025-04-07 03:39:34 UTC (stable/14, 14.2-STABLE)
2025-04-10 14:57:40 UTC (releng/14.2, 14.2-RELEASE-p3)
2025-04-07 03:41:14 UTC (stable/13, 13.5-STABLE)
2025-04-10 14:59:02 UTC (releng/13.5, 13.5-RELEASE-p1)
2025-04-10 14:59:36 UTC (releng/13.4, 13.4-RELEASE-p5)
CVE Name: CVE-2024-8176

For general information regarding FreeBSD Errata Notices and Security Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>.

I. Background

Expat is an XML parser library written in C. It is a stream-oriented
parser in which an application registers handlers for things the parser
might find in the XML document (like start tags).

The FreeBSD base system ships libexpat as libbsdxml for components that
need to parse XML data. Some of these applications use the XML parser
on trusted data from the kernel, for instance the geom(8) configuration utilities, while other applications, like tar(1), cpio(1) and unbound-anchor(8), may use the XML parser on input from network or the
user.

II. Problem Description

A stack overflow bug exists in the libexpat library due to the way it
handles recursive entity expansion in XML documents. When parsing an
XML document with deeply nested entity references, libexpat can be
forced to recurse indefinitely, exhausting the stack space and causing a
crash.

III. Impact

This stack overflow could cause e.g. tar(1) to crash. Owing to the
limited number of ways libbsdxml is used in FreeBSD, the base system is
not likely to be vulnerable to denial of service (DoS) or exploitable memory corruption.

IV. Workaround

No workaround is available, but the problem only manifests when the
affected system needs to process data from an untrusted source.

Because the library is used by many third party applications, we advise
system administrators to check and make sure that they have the latest
expat version as well, and restart all third party services, or reboot
the system.

V. Solution

Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date.

Perform one of the following:

1) To update your system via a binary patch:

Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

2) To update your system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 13.4, 14.2]
# fetch https://security.FreeBSD.org/patches/EN-25:05/expat-13.4-14.2.patch
# fetch https://security.FreeBSD.org/patches/EN-25:05/expat-13.4-14.2.patch.asc # gpg --verify expat-13.4-14.2.patch.asc

[FreeBSD 13.5]
# fetch https://security.FreeBSD.org/patches/EN-25:05/expat-13.5.patch
# fetch https://security.FreeBSD.org/patches/EN-25:05/expat-13.5.patch.asc
# gpg --verify expat-13.5.patch.asc

b) Apply the patch. Execute the following commands as root:

# cd /usr/src
# patch -E < /path/to/patch

c) Recompile the operating system using buildworld and installworld as described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.

The FreeBSD base system does not install daemons that use the library.
A reboot is not required after updating the base system.

VI. Correction details

This issue is corrected as of the corresponding Git commit hash in the following stable and release branches:

Branch/path Hash Revision
- ------------------------------------------------------------------------- stable/14/ fd4592006b13 stable/14-n271000 releng/14.2/ 700e7384dfbf releng/14.2-n269520 stable/13/ 5630672e6f6d stable/13-n259244 releng/13.5/ dec0bf8096b3 releng/13.5-n259164 releng/13.4/ e3fd2734314d releng/13.4-n258281
- -------------------------------------------------------------------------

Run the following command to see which files were modified by a
particular commit:

# git show --stat <commit hash>

Or visit the following URL, replacing NNNNNN with the hash:

<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>

To determine the commit count in a working tree (for comparison against
nNNNNNN in the table above), run:

# git rev-list --count --first-parent HEAD

VII. References

<URL:https://github.com/libexpat/libexpat/issues/893> <URL:https://github.com/libexpat/libexpat/issues/973>

The latest revision of this advisory is available at <URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-25:05.expat.asc> -----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmf38DUACgkQbljekB8A Gu8jQA/6AtsNwonBza6fjbkQaDeGbyEn2agOvkZ8R0tF+QKnYLVt63O52r9VmTeG s5/yLjcXKqo4Bnk9x3+BiDzA6x2LQrma8QRuvz+eLrRyGK2Ux0L5py0lNb9CqTsc /jS+5dU18nOA4v9P+UMj6NWXAxlgJ3LVVGgSLZxjXLkyZHzzUnQHiQnY4DeWzAh6 tTY/EeNjVd3LPIDmpomHSsrt+ayD13+SNdADNWY3mColCS4ew8duiOIoACpj8J99 LI6hfUjninjmkPbgUmRnX5akh35uxcOhANFuyHlr5GMsh/h76BJ1FT64oZtBwWTQ Zy/hF6fBOb42NJMUuIu7yNEgYg2Yb8fgb0+zfFtBih5U/KBGD/yD3mst3lAAVPZS Q25e3U9zbyVyykZg5RdKVWy1PSI2FG7uNb+f1Jz8xPPgcCF9edjJLHD2lcTZVprR bJPeFXf5MJjgzSafLxon4jA/6rnoqUaML1Cbi6DIVhC4hgsBCzMzcTedo7gjP6Ab 6c6msxXLha0Q7eBUH10uoh+I91AMERBJZpEEaX8PN9GtRZi+lvn04GW2UbjRnBpY eKL/9RGeW8WRMwwututtzSbFLk8iSzcOto2iVClkkybOQAau78kTpnMhGyRav/UQ zezIRE2X/Ob34wZK3WxQRGuIVx40Ci0ZNly2w6wRTmak9twgP6U=
=9pZP
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)