Bug 1219559 (CVE-2023-52425)

Summary: VUL-0: CVE-2023-52425: expat: denial of service (resource consumption) caused by processing large tokens
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: David Anes <david.anes>
Status: IN_PROGRESS --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: ali.abdallah, alnovak, andrea.mattiazzo, andreas.taschner, david.anes, kstreitova, meissner, simonf.lees, stoyan.manolov
Version: unspecifiedFlags: stoyan.manolov: needinfo?
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/392985/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-52425:5.5:(AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 1219561, 1221563, 1222075    

Description SMASH SMASH 2024-02-05 10:06:44 UTC 
libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-52425
https://www.cve.org/CVERecord?id=CVE-2023-52425

Patch:
https://github.com/libexpat/libexpat/pull/789
Comment 1 Andrea Mattiazzo 2024-02-05 10:08:11 UTC 
Tracking as affected:
- SUSE:ALP:Source:Standard:1.0
- SUSE:Carwos:1/expat
- SUSE:SLE-11:Update/expat (in reactive support)
- SUSE:SLE-12:Update/expat
- SUSE:SLE-15-SP4:Update/expat
- SUSE:SLE-15:Update/expat
- openSUSE:Factory/expat
Comment 4 David Anes 2024-02-12 14:47:09 UTC 
From 2.6.0 release notes:

> Backporters should be careful to no omit parts of
> pull request #789 and to include earlier pull request #771,
> in order to not break the fix.

Therefore, patches are in:
- https://github.com/libexpat/libexpat/pull/789
- https://github.com/libexpat/libexpat/pull/771
Comment 5 David Anes 2024-02-14 09:52:32 UTC 
Factory request is on-going, as the update to 2.6.0 breaks other packages (I already notified their maintainers):
* https://build.opensuse.org/request/show/1146280
Comment 13 Andreas Taschner 2024-02-23 13:15:03 UTC 
Have you been able to progress any further towards a submission, David ?
Comment 16 Andreas Taschner 2024-02-27 08:18:09 UTC 
Thank you for the updates, guys.
Comment 23 OBSbugzilla Bot 2024-03-22 11:35:02 UTC 
This is an autogenerated message for OBS integration:
This bug (1219559) was mentioned in
https://build.opensuse.org/request/show/1160579 Factory / python310
https://build.opensuse.org/request/show/1160580 Factory / python39
https://build.opensuse.org/request/show/1160582 Factory / python38
Comment 24 OBSbugzilla Bot 2024-03-24 03:35:02 UTC 
This is an autogenerated message for OBS integration:
This bug (1219559) was mentioned in
https://build.opensuse.org/request/show/1161042 Factory / python39
Comment 25 OBSbugzilla Bot 2024-03-24 09:35:13 UTC 
This is an autogenerated message for OBS integration:
This bug (1219559) was mentioned in
https://build.opensuse.org/request/show/1161074 Factory / python310
Comment 27 Maintenance Automation 2024-03-27 16:30:09 UTC 
SUSE-SU-2024:1009-1: An update that solves three vulnerabilities and has one security fix can now be installed.

Category: security (important)
Bug References: 1211301, 1219559, 1219666, 1221854
CVE References: CVE-2023-52425, CVE-2023-6597, CVE-2024-0450
Maintenance Incident: [SUSE:Maintenance:33053](https://smelt.suse.de/incident/33053/)
Sources used:
openSUSE Leap 15.3 (src):
 python39-3.9.19-150300.4.41.1, python39-documentation-3.9.19-150300.4.41.1, python39-core-3.9.19-150300.4.41.2
openSUSE Leap 15.5 (src):
 python39-3.9.19-150300.4.41.1, python39-documentation-3.9.19-150300.4.41.1, python39-core-3.9.19-150300.4.41.2
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src):
 python39-3.9.19-150300.4.41.1, python39-core-3.9.19-150300.4.41.2
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src):
 python39-3.9.19-150300.4.41.1, python39-core-3.9.19-150300.4.41.2
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src):
 python39-3.9.19-150300.4.41.1, python39-core-3.9.19-150300.4.41.2
SUSE Enterprise Storage 7.1 (src):
 python39-3.9.19-150300.4.41.1, python39-core-3.9.19-150300.4.41.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 28 Maintenance Automation 2024-04-08 08:30:01 UTC 
SUSE-SU-2024:1129-1: An update that solves two vulnerabilities can now be installed.

Category: security (important)
Bug References: 1219559, 1221289
CVE References: CVE-2023-52425, CVE-2024-28757
Maintenance Incident: [SUSE:Maintenance:32868](https://smelt.suse.de/incident/32868/)
Sources used:
openSUSE Leap 15.4 (src):
 expat-2.4.4-150400.3.17.1
openSUSE Leap Micro 5.3 (src):
 expat-2.4.4-150400.3.17.1
openSUSE Leap Micro 5.4 (src):
 expat-2.4.4-150400.3.17.1
openSUSE Leap 15.5 (src):
 expat-2.4.4-150400.3.17.1
SUSE Linux Enterprise Micro for Rancher 5.3 (src):
 expat-2.4.4-150400.3.17.1
SUSE Linux Enterprise Micro 5.3 (src):
 expat-2.4.4-150400.3.17.1
SUSE Linux Enterprise Micro for Rancher 5.4 (src):
 expat-2.4.4-150400.3.17.1
SUSE Linux Enterprise Micro 5.4 (src):
 expat-2.4.4-150400.3.17.1
SUSE Linux Enterprise Micro 5.5 (src):
 expat-2.4.4-150400.3.17.1
Basesystem Module 15-SP5 (src):
 expat-2.4.4-150400.3.17.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src):
 expat-2.4.4-150400.3.17.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src):
 expat-2.4.4-150400.3.17.1
SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (src):
 expat-2.4.4-150400.3.17.1
SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src):
 expat-2.4.4-150400.3.17.1
SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src):
 expat-2.4.4-150400.3.17.1
SUSE Manager Proxy 4.3 (src):
 expat-2.4.4-150400.3.17.1
SUSE Manager Retail Branch Server 4.3 (src):
 expat-2.4.4-150400.3.17.1
SUSE Manager Server 4.3 (src):
 expat-2.4.4-150400.3.17.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 29 Maintenance Automation 2024-04-08 12:30:03 UTC 
SUSE-SU-2024:1162-1: An update that solves three vulnerabilities and has two security fixes can now be installed.

Category: security (important)
Bug References: 1189495, 1211301, 1219559, 1219666, 1221854
CVE References: CVE-2023-52425, CVE-2023-6597, CVE-2024-0450
Maintenance Incident: [SUSE:Maintenance:33187](https://smelt.suse.de/incident/33187/)
Sources used:
openSUSE Leap 15.4 (src):
 python310-documentation-3.10.14-150400.4.45.1, python310-3.10.14-150400.4.45.1, python310-core-3.10.14-150400.4.45.1
openSUSE Leap 15.5 (src):
 python310-documentation-3.10.14-150400.4.45.1, python310-3.10.14-150400.4.45.1, python310-core-3.10.14-150400.4.45.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src):
 python310-3.10.14-150400.4.45.1, python310-core-3.10.14-150400.4.45.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src):
 python310-3.10.14-150400.4.45.1, python310-core-3.10.14-150400.4.45.1
SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (src):
 python310-3.10.14-150400.4.45.1, python310-core-3.10.14-150400.4.45.1
SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src):
 python310-3.10.14-150400.4.45.1, python310-core-3.10.14-150400.4.45.1
SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src):
 python310-3.10.14-150400.4.45.1, python310-core-3.10.14-150400.4.45.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 30 OBSbugzilla Bot 2024-04-11 20:55:03 UTC 
This is an autogenerated message for OBS integration:
This bug (1219559) was mentioned in
https://build.opensuse.org/request/show/1166947 Factory / python312
Comment 41 Maintenance Automation 2024-05-08 12:30:04 UTC 
SUSE-SU-2024:1556-1: An update that solves three vulnerabilities and has three security fixes can now be installed.

Category: security (important)
Bug References: 1189495, 1211301, 1219559, 1219666, 1221260, 1221854
CVE References: CVE-2023-52425, CVE-2023-6597, CVE-2024-0450
Maintenance Incident: [SUSE:Maintenance:33618](https://smelt.suse.de/incident/33618/)
Sources used:
openSUSE Leap 15.4 (src):
 python311-3.11.9-150400.9.26.1, python311-core-3.11.9-150400.9.26.1, python311-documentation-3.11.9-150400.9.26.1
openSUSE Leap 15.5 (src):
 python311-3.11.9-150400.9.26.1, python311-core-3.11.9-150400.9.26.1, python311-documentation-3.11.9-150400.9.26.1
Public Cloud Module 15-SP4 (src):
 python311-3.11.9-150400.9.26.1, python311-core-3.11.9-150400.9.26.1
Python 3 Module 15-SP5 (src):
 python311-3.11.9-150400.9.26.1, python311-core-3.11.9-150400.9.26.1, python311-documentation-3.11.9-150400.9.26.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src):
 python311-3.11.9-150400.9.26.1, python311-core-3.11.9-150400.9.26.1, python311-documentation-3.11.9-150400.9.26.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src):
 python311-3.11.9-150400.9.26.1, python311-core-3.11.9-150400.9.26.1, python311-documentation-3.11.9-150400.9.26.1
SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (src):
 python311-3.11.9-150400.9.26.1, python311-core-3.11.9-150400.9.26.1, python311-documentation-3.11.9-150400.9.26.1
SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src):
 python311-3.11.9-150400.9.26.1, python311-core-3.11.9-150400.9.26.1, python311-documentation-3.11.9-150400.9.26.1
SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src):
 python311-3.11.9-150400.9.26.1, python311-core-3.11.9-150400.9.26.1, python311-documentation-3.11.9-150400.9.26.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 44 OBSbugzilla Bot 2024-05-11 16:55:03 UTC 
This is an autogenerated message for OBS integration:
This bug (1219559) was mentioned in
https://build.opensuse.org/request/show/1173435 Factory / python
Comment 48 Maintenance Automation 2024-05-15 08:30:11 UTC 
SUSE-SU-2024:1657-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1219559
CVE References: CVE-2023-52425
Maintenance Incident: [SUSE:Maintenance:33811](https://smelt.suse.de/incident/33811/)
Sources used:
Web and Scripting Module 12 (src):
 python3-base-3.4.10-25.127.1, python3-3.4.10-25.127.1
SUSE Linux Enterprise Software Development Kit 12 SP5 (src):
 python3-base-3.4.10-25.127.1, python3-3.4.10-25.127.1
SUSE Linux Enterprise High Performance Computing 12 SP5 (src):
 python3-base-3.4.10-25.127.1, python3-3.4.10-25.127.1
SUSE Linux Enterprise Server 12 SP5 (src):
 python3-base-3.4.10-25.127.1, python3-3.4.10-25.127.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src):
 python3-base-3.4.10-25.127.1, python3-3.4.10-25.127.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 49 Maintenance Automation 2024-05-16 08:30:03 UTC 
SUSE-SU-2024:1667-1: An update that solves three vulnerabilities and has two security fixes can now be installed.

Category: security (moderate)
Bug References: 1214675, 1219306, 1219559, 1220970, 1222537
CVE References: CVE-2022-48560, CVE-2023-27043, CVE-2023-52425
Maintenance Incident: [SUSE:Maintenance:33822](https://smelt.suse.de/incident/33822/)
Sources used:
SUSE Linux Enterprise Workstation Extension 12 12-SP5 (src):
 python-base-2.7.18-33.32.1
SUSE Linux Enterprise High Performance Computing 12 SP5 (src):
 python-2.7.18-33.32.1, python-doc-2.7.18-33.32.1, python-base-2.7.18-33.32.1
SUSE Linux Enterprise Server 12 SP5 (src):
 python-2.7.18-33.32.1, python-doc-2.7.18-33.32.1, python-base-2.7.18-33.32.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src):
 python-2.7.18-33.32.1, python-doc-2.7.18-33.32.1, python-base-2.7.18-33.32.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 54 Maintenance Automation 2024-05-20 20:30:16 UTC 
SUSE-SU-2024:1698-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1219559
CVE References: CVE-2023-52425
Maintenance Incident: [SUSE:Maintenance:33868](https://smelt.suse.de/incident/33868/)
Sources used:
openSUSE Leap 15.4 (src):
 python310-core-3.10.14-150400.4.48.1, python310-documentation-3.10.14-150400.4.48.1, python310-3.10.14-150400.4.48.1
openSUSE Leap 15.5 (src):
 python310-core-3.10.14-150400.4.48.1, python310-documentation-3.10.14-150400.4.48.1, python310-3.10.14-150400.4.48.1
openSUSE Leap 15.6 (src):
 python310-core-3.10.14-150400.4.48.1, python310-documentation-3.10.14-150400.4.48.1, python310-3.10.14-150400.4.48.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 55 Maintenance Automation 2024-05-24 16:30:12 UTC 
SUSE-SU-2024:1774-1: An update that solves two vulnerabilities and has three security fixes can now be installed.

Category: security (important)
Bug References: 1219559, 1220664, 1221563, 1221854, 1222075
CVE References: CVE-2023-52425, CVE-2024-0450
Maintenance Incident: [SUSE:Maintenance:33975](https://smelt.suse.de/incident/33975/)
Sources used:
SUSE Linux Enterprise Micro 5.1 (src):
 python3-3.6.15-150000.3.147.1, python3-core-3.6.15-150000.3.147.1
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src):
 python3-3.6.15-150000.3.147.1, python3-core-3.6.15-150000.3.147.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src):
 python3-3.6.15-150000.3.147.1, python3-core-3.6.15-150000.3.147.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src):
 python3-3.6.15-150000.3.147.1, python3-core-3.6.15-150000.3.147.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 56 Maintenance Automation 2024-05-29 20:30:02 UTC 
SUSE-SU-2024:1847-1: An update that solves four vulnerabilities and has four security fixes can now be installed.

Category: security (important)
Bug References: 1214691, 1219559, 1219666, 1220664, 1221563, 1221854, 1222075, 1222109
CVE References: CVE-2022-48566, CVE-2023-52425, CVE-2023-6597, CVE-2024-0450
Maintenance Incident: [SUSE:Maintenance:33972](https://smelt.suse.de/incident/33972/)
Sources used:
SUSE Linux Enterprise Software Development Kit 12 SP5 (src):
 python36-core-3.6.15-55.1
SUSE Linux Enterprise High Performance Computing 12 SP5 (src):
 python36-core-3.6.15-55.1, python36-3.6.15-55.1
SUSE Linux Enterprise Server 12 SP5 (src):
 python36-core-3.6.15-55.1, python36-3.6.15-55.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src):
 python36-core-3.6.15-55.1, python36-3.6.15-55.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 63 Maintenance Automation 2024-07-15 16:36:31 UTC 
SUSE-SU-2024:2479-1: An update that solves four vulnerabilities and has three security fixes can now be installed.

Category: security (important)
Bug References: 1219559, 1220664, 1221563, 1221854, 1222075, 1226447, 1226448
CVE References: CVE-2023-52425, CVE-2024-0397, CVE-2024-0450, CVE-2024-4032
Maintenance Incident: [SUSE:Maintenance:33974](https://smelt.suse.de/incident/33974/)
Sources used:
openSUSE Leap 15.3 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2, python3-documentation-3.6.15-150300.10.65.1
openSUSE Leap Micro 5.3 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
openSUSE Leap Micro 5.4 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
openSUSE Leap 15.5 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2, python3-documentation-3.6.15-150300.10.65.1
openSUSE Leap 15.6 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2, python3-documentation-3.6.15-150300.10.65.1
SUSE Linux Enterprise Micro for Rancher 5.3 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
SUSE Linux Enterprise Micro 5.3 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
SUSE Linux Enterprise Micro for Rancher 5.4 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
SUSE Linux Enterprise Micro 5.4 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
SUSE Linux Enterprise Micro 5.5 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
Basesystem Module 15-SP5 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
Basesystem Module 15-SP6 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
Development Tools Module 15-SP5 (src):
 python3-core-3.6.15-150300.10.65.1
Development Tools Module 15-SP6 (src):
 python3-core-3.6.15-150300.10.65.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
SUSE Manager Proxy 4.3 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
SUSE Manager Retail Branch Server 4.3 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
SUSE Manager Server 4.3 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
SUSE Enterprise Storage 7.1 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
SUSE Linux Enterprise Micro 5.2 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
SUSE Linux Enterprise Micro for Rancher 5.2 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.