Fwd: "I spread Kremlin propaganda": Russian TV news protester's pre-recorded statement
Expat 2.4.7 released
libexpat is a fast streaming XML parser. Alongside libxml2, Expat is one of the most widely used software libre XML parsers written in C, precisely C99. It is cross-platform and licensed under the MIT license.
Expat 2.4.7 has been released a few minutes ago. Most importantly, this release relaxes the fix to CVE-2022-25236 (introduced with release 2.4.5) which some of you have been waiting for, due to related incompatibilities.
For more details, please check out the change log.
If you maintain Expat packaging or a bundled copy of Expat or a pinned version of Expat somewhere, please update to 2.4.7. Thank you!
Sebastian Pipping
Expat 2.4.6 released
libexpat is a fast streaming XML parser. Alongside libxml2, Expat is one of the most widely used software libre XML parsers written in C, precisely C99. It is cross-platform and licensed under the MIT license.
Expat 2.4.6 has been released a few hours ago. This release fixes a regression introduced by one of the security fixes in 2.4.5.
For more details, please check out the change log.
If you maintain Expat packaging or a bundled copy of Expat or a pinned version of Expat somewhere, please update to 2.4.6. Thank you!
Sebastian Pipping
Expat 2.4.5 released, includes security fixes
libexpat is a fast streaming XML parser. Alongside libxml2, Expat is one of the most widely used software libre XML parsers written in C, precisely C99. It is cross-platform and licensed under the MIT license.
Expat 2.4.5 has been released a few hours ago. This release is about security fixes. There are 5 CVEs involved:
Regarding impact of vulnerabilities, please note that looking at a vulnerability in isolation may miss part of the picture; e.g. if Expat passes malformed data to the application using Expat and that application isn't preprared for Expat violating their agreed API contract, you may end up with code execution from something that looked close to harmless, in isolation.
For more details, please check out the change log.
If you maintain Expat packaging or a bundled copy of Expat or a pinned version of Expat somewhere, please update to 2.4.5. Thank you!
Sebastian Pipping
Expat 2.4.4 released, includes security fixes
libexpat is a fast streaming XML parser. Alongside libxml2, Expat is one of the most widely used software libre XML parsers written in C, precisely C99. It is cross-platform and licensed under the MIT license.
Expat 2.4.4 has been released yesterday. Besides a memory leak bugfix to xmlwf and fixes to the build system, this release is about security fixes. There are 2 CVEs involved, both related to fixed-size integer math (integer overflow) near memory allocation, not unlike what we had with 2.4.3 before. Impact is denial of service, or more.
For more details, please check out the change log.
If you maintain Expat packaging or a bundled copy of Expat or a pinned version of Expat somewhere, please update to 2.4.4. Thank you!
Sebastian Pipping
Expat 2.4.3 released, includes security fixes
libexpat is a fast streaming XML parser. Alongside libxml2, Expat is one of the most widely used software libre XML parsers written in C, precisely C99. It is cross-platform and licensed under the MIT license.
Expat 2.4.3 has been released earlier today. Besides two minor fixes to the build system, this release is about security fixes. There is a total of 8 CVEs fixed, all related to fixed-size integer math (integer overflow and invalid shifts) near memory allocation. Impact is denial of service, or more.
- CVE-2021-45960
- CVE-2021-46143
- CVE-2022-22822
- CVE-2022-22823
- CVE-2022-22824
- CVE-2022-22825
- CVE-2022-22826
- CVE-2022-22827
For more details, please check out the change log.
If you maintain Expat packaging or a bundled copy of Expat or a pinned version of Expat somewhere, please update to 2.4.3. Thank you!
Sebastian Pipping
uriparser 0.9.6 with security fixes released
Earlier today uriparser 0.9.6 has been released. Version 0.9.6 comes with security fixes for vulnerabilities CVE-2021-46141 and CVE-2021-46142, as well as minor fixes related to the build system, compiler warnings and documentation. For more details please check the change log.
Last but not least: If you maintain uriparser packaging or a bundled version of uriparser somewhere, please update to 0.9.6 — thank you!
CVE-2013-0340 "Billion Laughs" fixed in Expat 2.4.0
libexpat is a fast streaming XML parser. Alongside libxml2, Expat is one of the most widely used software libre XML parsers written in C, precisely C99. It is cross-platform and licensed under the MIT license.
Expat 2.4.0
and follow-up release 2.4.1
have both been released earlier today.
Release 2.4.0 fixes long known security issue
CVE-2013-0340
by adding protection against so-called
Billion Laughs Attacks,
a form of denial of service against applications accepting XML input,
in all known variations,
including recent flavor Parameter Laughs.
I first became interested in detecting Billion Laughs Attacks back in 2008, 13 years ago, already in context of Expat at the time, but on top of it rather than from the inside, and long before I joined maintaining Expat in July 2016. In 2017 the topic got back on my radar, and by 2020 I eventually decided to make the topic a personal priority. In an e-mail conversation with Nick Wellnhofer in June 2020, Nick wrote:
I came to the conclusion that the most sensible check is to make sure that the total size of the output in bytes doesn't exceed the input size by a certain factor[.]
I was doubtful at first, digested it for multiple days, and then I was sure that he was right. Nick's conclusion became the foundation of my implementation for protection in Expat. That factor between input and output bytes is what the term "amplification" is about, that you will find used throughout the documentation.
Besides this security fix, there is the usual bunch of fixes and improvements in tooling, documentation, and the two build systems. For more details, please check out the change log.
If you maintain Expat packaging or a bundled copy of Expat or a pinned version of Expat somewhere, please update to 2.4.1. Thank you!
Sebastian Pipping
CVE-2021-3541 "Parameter Laughs" fixed in libxml2 2.9.11
In context of my work on protection against
Billion Laughs Attacks
for libexpat,
I played with the existing protection
of libxml2
against those attacks. As an unintended byproduct,
that led me to finding a bypass of that protection,
a new vulnerability in libxml2
prior to 2.9.11
that I call Parameter Laughs;
it has been assigned CVE number CVE-2021-3541
and is known as libxml2 issue 228 upstream.
Parameter Laughs is based upon well-known ideas from the Billion Laughs Attack — both use nested entities to amplify a small payload of a few hundred bytes up to gigabytes of content to process and hence wasting loads of RAM, CPU time, or both — but in contrast Parameter Laughs…
- uses parameter entities
(syntax
%entity;
with%
) rather than general entities (syntax&entity;
with&
) and - uses delayed interpretation
to effectively sneak use of parameter entities
into the so-called "internal subset" of the XML document
(the "here" in
<!DOCTYPE r [here]>
) where undisguised parameter entities are not allowed, with regard to the XML specification.
What do I mean by "delayed interpretation"? Let us declare a parameter entity like this:
<!ENTITY % pe_2 "%pe_1;<!---->%pe_1;">
Now during replacement of reference %pe_2;
text %
is turned into %
and hence %pe_1;
becomes %pe_1;
.
That triggers two new rounds of replacement
for %pe_1;
after %pe_2;
has been fully replaced —
there you have the delay (and the exponential growth).
Here is what Parameter Laughs looks like as a complete XML document (added 2021-05-25):
<?xml version="1.0"?> <!-- "Parameter Laughs", i.e. variant of Billion Laughs Attack using delayed interpretation of parameter entities Copyright (C) Sebastian Pipping <sebastian@pipping.org> --> <!DOCTYPE r [ <!ENTITY % pe_1 "<!---->"> <!ENTITY % pe_2 "%pe_1;<!---->%pe_1;"> <!ENTITY % pe_3 "%pe_2;<!---->%pe_2;"> %pe_3; <!-- not at full potential, increase towards "%pe40;" carefully --> ]> <r/>
Compared to something like arbitrary code execution, Parameter Laughs is "only" a denial of service attack. Its eager use of RAM made my machine need a hard reset in practice: maybe that's something that you want to be protected against, too.
(German) Fwd: Frag einen Obdachlosen: Dominik über kalte Nächte, Rastlosigkeit und Gewalt auf der Straße
Dieses Interview ist Teil der Serie Frag ein Klischee von hyperbole mit vielen anderen spannende Interviews.