{"affected":[{"ecosystem_specific":{"binaries":[{"libexpat1":"2.7.1-slfo.1.1_1.1"}]},"package":{"ecosystem":"SUSE:Linux Micro 6.1","name":"expat","purl":"pkg:rpm/suse/expat&distro=SUSE%20Linux%20Micro%206.1"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"2.7.1-slfo.1.1_1.1"}],"type":"ECOSYSTEM"}]}],"aliases":[],"details":"This update for expat fixes the following issues:\n\nVersion update to 2.7.1:\n\n     Bug fixes:\n\n       #980 #989  Restore event pointer behavior from Expat 2.6.4\n                    (that the fix to CVE-2024-8176 changed in 2.7.0);\n                    affected API functions are:\n                    - XML_GetCurrentByteCount\n                    - XML_GetCurrentByteIndex\n                    - XML_GetCurrentColumnNumber\n                    - XML_GetCurrentLineNumber\n                    - XML_GetInputContext\n\n     Other changes:\n\n       #976 #977  Autotools: Integrate files \"fuzz/xml_lpm_fuzzer.{cpp,proto}\"\n                    with Automake that were missing from 2.7.0 release tarballs\n       #983 #984  Fix printf format specifiers for 32bit Emscripten\n            #992  docs: Promote OpenSSF Best Practices self-certification\n            #978  tests/benchmark: Resolve mistaken double close\n            #986  Address compiler warnings\n       #990 #993  Version info bumped from 11:1:10 (libexpat*.so.1.10.1)\n                    to 11:2:10 (libexpat*.so.1.10.2); see https://verbump.de/\n                    for what these numbers do\n\n        Infrastructure:\n\n            #982  CI: Start running Perl XML::Parser integration tests\n            #987  CI: Enforce Clang Static Analyzer clean code\n            #991  CI: Re-enable warning clang-analyzer-valist.Uninitialized\n                    for clang-tidy\n            #981  CI: Cover compilation with musl\n       #983 #984  CI: Cover compilation with 32bit Emscripten\n       #976 #977  CI: Protect against fuzzer files missing from future\n                    release archives\n\nversion update to 2.7.0 (CVE-2024-8176 [bsc#1239618]):\n\n  * Security fixes:\n\n       #893 #973  CVE-2024-8176 -- Fix crash from chaining a large number\n                    of entities caused by stack overflow by resolving use of\n                    recursion, for all three uses of entities:\n                    - general entities in character data (\"<e>&g1;</e>\")\n                    - general entities in attribute values (\"<e k1='&g1;'/>\")\n                    - parameter entities (\"%p1;\")\n                    Known impact is (reliable and easy) denial of service:\n                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C\n                    (Base Score: 7.5, Temporal Score: 7.2)\n                    Please note that a layer of compression around XML can\n                    significantly reduce the minimum attack payload size.\n\n   * Other changes:\n       #935 #937  Autotools: Make generated CMake files look for\n                    libexpat.@SO_MAJOR@.dylib on macOS\n            #925  Autotools: Sync CMake templates with CMake 3.29\n  #945 #962 #966  CMake: Drop support for CMake <3.13\n            #942  CMake: Small fuzzing related improvements\n            #921  docs: Add missing documentation of error code\n                    XML_ERROR_NOT_STARTED that was introduced with 2.6.4\n            #941  docs: Document need for C++11 compiler for use from C++\n            #959  tests/benchmark: Fix a (harmless) TOCTTOU\n            #944  Windows: Fix installer target location of file xmlwf.xml\n                    for CMake\n            #953  Windows: Address warning -Wunknown-warning-option\n                    about -Wno-pedantic-ms-format from LLVM MinGW\n            #971  Address Cppcheck warnings\n       #969 #970  Mass-migrate links from http:// to https://\n    #947 #958 ..\n       #974 #975  Document changes since the previous release\n       #974 #975  Version info bumped from 11:0:10 (libexpat*.so.1.10.0)\n                    to 11:1:10 (libexpat*.so.1.10.1); see https://verbump.de/\n                    for what these numbers do\n\n- no source changes, just adding jira reference: jsc#SLE-21253\n\nVersion update to 2.6.4 \n\n  * Security fixes: [bsc#1232601][bsc#1232579]\n        #915  CVE-2024-50602 -- Fix crash within function XML_ResumeParser\n                from a NULL pointer dereference by disallowing function\n                XML_StopParser to (stop or) suspend an unstarted parser.\n                A new error code XML_ERROR_NOT_STARTED was introduced to\n                properly communicate this situation.  // CWE-476 CWE-754\n  * Other changes:\n        #903  CMake: Add alias target \"expat::expat\"\n        #905  docs: Document use via CMake >=3.18 with FetchContent\n                and SOURCE_SUBDIR and its consequences\n        #902  tests: Reduce use of global parser instance\n        #904  tests: Resolve duplicate handler\n   #317 #918  tests: Improve tests on doctype closing (ex CVE-2019-15903)\n        #914  Fix signedness of format strings\n   #919 #920  Version info bumped from 10:3:9 (libexpat*.so.1.9.3)\n                to 11:0:10 (libexpat*.so.1.10.0); see https://verbump.de/\n                for what these numbers do\n\nUpdate to 2.6.3: \n\n  * Security fixes:\n\n    - CVE-2024-45490, bsc#1229930 -- Calling function XML_ParseBuffer with\n      len < 0 without noticing and then calling XML_GetBuffer\n      will have XML_ParseBuffer fail to recognize the problem\n      and XML_GetBuffer corrupt memory.\n      With the fix, XML_ParseBuffer now complains with error\n      XML_ERROR_INVALID_ARGUMENT just like sibling XML_Parse\n      has been doing since Expat 2.2.1, and now documented.\n      Impact is denial of service to potentially artitrary code\n      execution.\n    - CVE-2024-45491, bsc#1229931 -- Internal function dtdCopy can have an\n      integer overflow for nDefaultAtts on 32-bit platforms\n      (where UINT_MAX equals SIZE_MAX).\n      Impact is denial of service to potentially artitrary code\n      execution.\n    - CVE-2024-45492, bsc#1229932 -- Internal function nextScaffoldPart can\n      have an integer overflow for m_groupSize on 32-bit\n      platforms (where UINT_MAX equals SIZE_MAX).\n      Impact is denial of service to potentially artitrary code\n      execution.\n\nUpdate to 2.6.2:\n\n  * CVE-2024-28757 -- Prevent billion laughs attacks with isolated\n    use of external parsers (bsc#1221289)\n  * Reject direct parameter entity recursion and avoid the related\n    undefined behavior\n\nUpdate to 2.6.1:\n\n  * Expose billion laughs API with XML_DTD defined and XML_GE\n    undefined, regression from 2.6.0\n  * Make tests independent of CPU speed, and thus more robust\n\nUpdate to 2.6.0: \n\n  * Security fixes:\n    - CVE-2023-52425 (bsc#1219559)  \n      -- Fix quadratic runtime issues with big tokens\n      that can cause denial of service, in partial where\n      dealing with compressed XML input.  Applications\n      that parsed a document in one go -- a single call to\n      functions XML_Parse or XML_ParseBuffer -- were not affected.\n      The smaller the chunks/buffers you use for parsing\n      previously, the bigger the problem prior to the fix.\n      Backporters should be careful to no omit parts of\n      pull request #789 and to include earlier pull request #771,\n      in order to not break the fix.\n    - CVE-2023-52426 (bsc#1219561)\n      -- Fix billion laughs attacks for users\n      compiling *without* XML_DTD defined (which is not common).\n      Users with XML_DTD defined have been protected since\n      Expat >=2.4.0 (and that was CVE-2013-0340 back then).\n  * Bug fixes:\n    - Fix parse-size-dependent \"invalid token\" error for\n      external entities that start with a byte order mark\n    - Fix NULL pointer dereference in setContext via\n      XML_ExternalEntityParserCreate for compilation with\n      XML_DTD undefined\n    - Protect against closing entities out of order\n  * Other changes:\n    - Improve support for arc4random/arc4random_buf\n    - Improve buffer growth in XML_GetBuffer and XML_Parse\n    - xmlwf: Support --help and --version\n    - xmlwf: Support custom buffer size for XML_GetBuffer and read\n    - xmlwf: Improve language and URL clickability in help output\n    - examples: Add new example \"element_declarations.c\"\n    - Be stricter about macro XML_CONTEXT_BYTES at build time\n    - Make inclusion to expat_config.h consistent\n    - Autotools: configure.ac: Support --disable-maintainer-mode\n    - Autotools: Sync CMake templates with CMake 3.26\n    - Autotools: Make installation of shipped man page doc/xmlwf.1\n      independent of docbook2man availability\n    - Autotools|CMake: Add missing -DXML_STATIC to pkg-config file\n      section \"Cflags.private\" in order to fix compilation\n      against static libexpat using pkg-config on Windows\n    - Autotools|CMake: Require a C99 compiler\n      (a de-facto requirement already since Expat 2.2.2 of 2017)\n    - Autotools|CMake: Fix PACKAGE_BUGREPORT variable\n    - Autotools|CMake: Make test suite require a C++11 compiler\n    - CMake: Require CMake >=3.5.0\n    - CMake: Lowercase off_t and size_t to help a bug in Meson\n    - CMake: Sort xmlwf sources alphabetically\n    - CMake|Windows: Fix generation of DLL file version info\n    - CMake: Build tests/benchmark/benchmark.c as well for\n      a build with -DEXPAT_BUILD_TESTS=ON\n    - docs: Document the importance of isFinal + adjust tests\n      accordingly\n    - docs: Improve use of \"NULL\" and \"null\"\n    - docs: Be specific about version of XML (XML 1.0r4)\n      and version of C (C99); (XML 1.0r5 will need a sponsor.)\n    - docs: reference.html: Promote function XML_ParseBuffer more\n    - docs: reference.html: Add HTML anchors to XML_* macros\n    - docs: reference.html: Upgrade to OK.css 1.2.0\n    - docs: Fix typos\n    - docs|CI: Use HTTPS URLs instead of HTTP at various places\n    - Address compiler warnings\n    - Address clang-tidy warnings\n    - Version info bumped from 9:10:8 (libexpat*.so.1.8.10)\n      to 10:0:9 (libexpat*.so.1.9.0); see https://verbump.de/\n      for what these numbers do\n","id":"SUSE-SU-2025:20311-1","modified":"2025-05-13T13:37:27Z","published":"2025-05-13T13:37:27Z","references":[{"type":"ADVISORY","url":"https://www.suse.com/support/update/announcement/2025/suse-su-202520311-1/"},{"type":"REPORT","url":"https://bugzilla.suse.com/1219559"},{"type":"REPORT","url":"https://bugzilla.suse.com/1219561"},{"type":"REPORT","url":"https://bugzilla.suse.com/1221289"},{"type":"REPORT","url":"https://bugzilla.suse.com/1229930"},{"type":"REPORT","url":"https://bugzilla.suse.com/1229931"},{"type":"REPORT","url":"https://bugzilla.suse.com/1229932"},{"type":"REPORT","url":"https://bugzilla.suse.com/1232579"},{"type":"REPORT","url":"https://bugzilla.suse.com/1232601"},{"type":"REPORT","url":"https://bugzilla.suse.com/1239618"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2013-0340"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2019-15903"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2023-52425"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2023-52426"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2024-28757"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2024-45490"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2024-45491"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2024-45492"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2024-50602"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2024-8176"}],"related":["CVE-2013-0340","CVE-2019-15903","CVE-2023-52425","CVE-2023-52426","CVE-2024-28757","CVE-2024-45490","CVE-2024-45491","CVE-2024-45492","CVE-2024-50602","CVE-2024-8176"],"summary":"Security update for expat","upstream":["CVE-2013-0340","CVE-2019-15903","CVE-2023-52425","CVE-2023-52426","CVE-2024-28757","CVE-2024-45490","CVE-2024-45491","CVE-2024-45492","CVE-2024-50602","CVE-2024-8176"]}