For readers new to Expat:
save a fast streaming XML parser. Along libxml2, expat is one of
most widely used
Software Free XML Parsers written in C, particular C99. This is the cross-platform and licensed underneath
The MIT license.
Expat 2.7.0 was released earlier today. I’ll make it more detailed post than usual because in many ways there is more to say about the release of this release of average libexpat: There’s a story at this time.
What is released 2.7.0?
Important motivation for exiting a release today is to get healing a long-term dizziness of users: I will return to that vulnerability – CVE-2024-8176 – In detail at one time. First, what else is there in this release?
There are also fixes of two official build systems as usual, as well as documentation repairs.
There is a New fuzzer xml_lpm_fuzzer
by Mark the brand
that OSS-Fuzz has begun to include their daily
Continue repair;; Fuzzer is based on clang’s libfazzzer and to Google’s libpotoboubf-mutator (LPM) to use a variant of
Coverage Guide called
structure repair. A side job that includes new fuzzer makes librotobuf-mutator dependent supporting Protobuf versions sent to Ubuntu 24.04 and 20.04:
My related work on the river
available to everyone.
Another interesting sideshow of this release is (harmless)
Issuing toctouu
that static analysis is not known by a benchmarking helper tool sent next to core libexpat. If you haven’t heard that kind of weakness in the race at the race but curious, the Related Pult request
Be interested: This is Textbook Toctou in a real world of example.
Something new to this release is that Windows binaries are now built on actions tapped than Appveyor and not also 64bit. I added to 64bit binaries released to
The previous release of Expat 2.6.4
Available on January 21, but now now becomes a regular part of the release process.
The report of vulnerability
So what is that long-term vulnerability? July 2022 – almost two and a half years ago –
Junn Hord on Google Project Zero
and Specter / Meltdown The fame comes to me by e-mail with a Libexpat search, including an idea for a repair.
He finds can be considered as the “line version of Billions of funny“- a linear chain (of so-called General Entities) instead of a tree – like this:
Except for two (or three) levels, but thousands. Why a chain of thousands of entity references can be a problem with the lid? Because of Recursion, Because of Recursive C Function Calls: Each call to a function increases the stack, and if functions are calling each other recursively, and attacker-controlled input can influence, attackers can force the stack to overflow Into the heap: stack overflow, segmentation fault,
DELIVERY SERVICE. It depends on the size of the target machine how much the nest level is needed to hit it: 23,000 levels of hit a machine, but not another.
Education indicating or carrying people to reconcrobi should have a warning; Reclillion isn’t just beautiful, a thinking tool and allows simple solutions often – also have dark side of it: a big security problem. The article
The Power of 10: Rules for Improving Critical Code
warned about the use of recursion in 2006, but expat development began in 1997.
It’s up to the first e-mail, Jann shared what he considered to heal – avoiding (or solving) recursion to how it could be done in general. Unlike other known zero projects, no 90-day deadline
for this issue, because – while Wrapping in the fight
regarded and a theoretical possibility – the refusal of the service is considered realistic effect. It should be noted that this risk assessment comes with no guarantee.
Process of vulnerability
Two things are found to me:
- It seems that this misfortune has many “faces” or variants, and that the only real healing is the effective removal all remaining recursion from expat. This is not the first time the transfer is an issue with C software, or even libexpat especially: Samanta Navarro
Resolved weak recursions
In different place in libexpat code on February 2022 already. Thank you again! - That it is a group of work, not a good match on my unpaid voluntary role of expat as an addition to my unrelated level of detail on the subject. My first work
Healing Billion Tights for Expat 2.4.0
I expect it to be the same, but greater.
And in that expectation, the issue began to grow old without getting better, and some understanding, I felt the paralytic about the subject and continued to procrastinating about it for a long time. From today’s subject comes with my friend, reporter and security researcher There’s Böck
that I share the issue. He argues that even when no improvement, the issue should be publicly performed at some point.
A reason why I disobey the printing without healing is that there is a cheap hacks with quick attacks to attack but in Debian it will parse well – or in another way around: a good mess.
I finally concluded that vulnerability could not keep sitting in my inbox without taking off for another year, that it should be a heal before a mess, and I have to work.
Reaching companies for help
In the early 2024, I started thinking of ways of finding help, and
Added a call for help flag
to change the log attached to expat 2.6.2. I started drafting an e-mail I’ll send companies learned to use libexpat on hardware. I start keeping an (not complete)
Public List of Companies using Hardware Expat
that now comes.
On April 14, 2024 I began to find searching for security contacts for companies at that list. For some, it is easy to find and for others, I stopped at the end; For some, I’m still unsure if I get the correct address or if they hug me as part of a Ostrich policy. I want many companies to want start serving /.well-known/security.txt;; Finding a response report contact is still the actual job of 2025 and is not necessary.
So then I sent companies surrounding 40 companies using a template, like this:
Hello ${company},
this e-mail is about ${company} product IT security.
Are you the right contact for that? If not please forward
it to the responsible contact within ${company} — thank you!
On the security matter:
It has come to my attention that ${company} products and
business rely on libexpat or the "Expat" XML parser library,
e.g. product ${product} is using libexpat according to
document (1). I am contacting you as the maintainer of
libexpat and its most active contributor for the last 8
years, as can be seen at (2); I am reaching out to you today
to raise awareness that:
- All but the latest release of libexpat (2.6.2) have
security issues known to the public, so every product
using older versions of libexpat can be attacked through
vulnerable versions of libexpat.
- Both automated fuzzing (3) and reports from security
researchers keep uncovering vulnerabilities in libexpat,
so it needs a process of updating the copy of libexpat
that you bundle and ship with your products, if not
already present.
- My time on libexpat is unfunded and limited, and there is
no one but me to constantly work on libexpat security and
to also progress on bigger lower priority tasks in
libexpat.
- There is a non-public complex-to-fix security issue in
libexpat that I have not been able to fix alone in my
spare time for months now, that some attackers may have
managed to find themselves and be actively exploiting
today.
I need partners in fixing that vulnerability.
Can ${company} be a partner in fixing that vulnerability,
so that your products using libexpat will be secure to use
in the future?
I am looking forward to your reply, best
Sebastian Pipping
Maintainer of libexpat
(1) ${product_open_source_copyright_pdf_url}
(2) https://github.com/libexpat/libexpat/graphs/contributors
(3) https://en.wikipedia.org/wiki/Fuzzing
The answers come
The answers I get from companies all over the map:
-
My “favorite” response is “We don’t know what you want from us” if everything understands me just fine. Nice!
-
Although competing with the “a patch of release after fall.” If they haven’t received any details from me. Okay!
-
There is a dispute that the products I have mentioned have no longer received updates (instead of saying their affected products not last life-not-lasting products and continue to use thousands).
-
I was asked to prove a concrete attack on company products (not measured, the actual product is required, etc.).
-
That they “don’t have enough resources to help you with this thing even if libexpat is used by some of the ….. ‘s product” came back a few times.
It’s interesting and fun with some sense, and not fun with another.
Next Stop: Configuration
The next next is that I ask companies to sign a simple Freloform
NDA with me. Companies are not prepared for that. Why I asked for an NDA and
TLP:RED? Of (1) make sure that the detailed details should work together with a real recovery and not only their own setups and (2) to avoid a person’s case with a real correction.
Some discussions failed at the NDA stage, while others were saved and kept calling the video explaining Jann’s knowledge.
It is worth noting that I knew going in that many vulnerability reward programs exclude the whole class of denial of service and so I tied the expected impact to signing an nda to reduce the chances of everyone discarding it “Oh ‘just’ denial of service, we’ll pass”.
Team and Security Work event
Simply small, I find two main partner companies in this:
Siemens and
A company unwanted nameWe will call them “not named company”. Siemens has begun to develop a candidate repair, and the unidentified company begins to evaluate the options of what other companies can help them, obtained Linutronix
and again Red involved.
Siemens took the builder’s role while Linutronix, red hat and I provide quality security in different classes. While we didn’t work day and night, it was reasonable to say we worked on the issue since May 2024 – For about 10 months.
The three faces of vulnerability
It truly has done that vulnerability has many – three-faces:
1. General character entities in character
2. General entities of values of attribute
3. Parameter Entity
The third variant “parameter entities” uses ideas from my 2013 exploitation for vulnerability
ParaAmeter Laughs (CVE-2021-3541): It uses the same mechanism of delayed interpretation.
Conclusions and gratitude
It is not overstatement that says no
Product of Berkay Eren
– The main author of the healing – and his manager
Dr. Thomas Pröll
With Siemens there is no fix today: a big and personal “Thanks!” from me.
Thanks for the unidentified company, in Linutronix, in the red hat for your help making this plane fly!
Thanks for Jann Horn for his research on whithat and demo patch leading the healing path!
Thanks for everyone who contributes to this release of Expat!
And please tell your friends:
Please leave recursion to math and keep it from (in particular C) software: it kills and kills again.
Kindly Regards from Libexpat, see CVE-2022-25313
and CVE-2024-8176 for proof.
For more details about this release, please
Check the modification log.
if you Continue expat packaging or a bunch of expat copy or a pinned version of Expat in one place, please update 2.7.0. Thanks!
Sebastian Pipping
2025-03-14 01:05:00
