Bug 1219561 (CVE-2023-52426)

Summary:	VUL-0: CVE-2023-52426: expat: recursive XML Entity Expansion if XML_DTD is undefined at compile time.
Product:	[Novell Products] SUSE Security Incidents	Reporter:	SMASH SMASH <smash_bz>
Component:	Incidents	Assignee:	David Anes <david.anes>
Status:	IN_PROGRESS ---	QA Contact:	Security Team bot <security-team>
Severity:	Normal
Priority:	P3 - Medium	CC:	andrea.mattiazzo, david.anes, meissner, rfrohl, stoyan.manolov, uemit.arslan
Version:	unspecified
Target Milestone:	---
Hardware:	Other
OS:	Other
URL:	https://smash.suse.de/issue/392986/
Whiteboard:	CVSSv3.1:SUSE:CVE-2023-52426:5.5:(AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
Found By:	Security Response Team	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---
Bug Depends on:	1219559
Bug Blocks:

Description SMASH SMASH 2024-02-05 10:24:10 UTC

libexpat through 2.5.0 allows recursive XML Entity Expansion if XML_DTD is undefined at compile time.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-52426
https://www.cve.org/CVERecord?id=CVE-2023-52426
https://cwe.mitre.org/data/definitions/776.html
https://github.com/libexpat/libexpat/commit/0f075ec8ecb5e43f8fdca5182f8cca4703da0404

Patch:
https://github.com/libexpat/libexpat/pull/777

Comment 1 Andrea Mattiazzo 2024-02-05 10:35:37 UTC

Tracking as affected:
- SUSE:ALP:Source:Standard:1.0
- SUSE:Carwos:1
- SUSE:SLE-12:Update
- SUSE:SLE-15-SP4:Update
- SUSE:SLE-15:Update
- openSUSE:Factory

- SUSE:SLE-11:Update only on reactive support

Comment 2 David Anes 2024-02-19 18:35:53 UTC

Factory was already fixed here:
* https://build.opensuse.org/request/show/1146280