Bugzilla – Bug 1219559
VUL-0: CVE-2023-52425: expat: denial of service (resource consumption) caused by processing large tokens
Last modified: 2024-07-15 16:36:31 UTC
libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-52425 https://www.cve.org/CVERecord?id=CVE-2023-52425 Patch: https://github.com/libexpat/libexpat/pull/789
Tracking as affected: - SUSE:ALP:Source:Standard:1.0 - SUSE:Carwos:1/expat - SUSE:SLE-11:Update/expat (in reactive support) - SUSE:SLE-12:Update/expat - SUSE:SLE-15-SP4:Update/expat - SUSE:SLE-15:Update/expat - openSUSE:Factory/expat
From 2.6.0 release notes: > Backporters should be careful to no omit parts of > pull request #789 and to include earlier pull request #771, > in order to not break the fix. Therefore, patches are in: - https://github.com/libexpat/libexpat/pull/789 - https://github.com/libexpat/libexpat/pull/771
Factory request is on-going, as the update to 2.6.0 breaks other packages (I already notified their maintainers): * https://build.opensuse.org/request/show/1146280
There is a discussion in https://github.com/libexpat/libexpat/pull/789 regarding backporting. It seems, not only this has to be backported: - https://github.com/libexpat/libexpat/pull/789 - https://github.com/libexpat/libexpat/pull/771 But also: - https://github.com/libexpat/libexpat/pull/817 (this one is newer than 2.6.0, but fixes some flaky tests). - https://github.com/libexpat/libexpat/pull/788 - https://github.com/libexpat/libexpat/pull/783 - https://github.com/libexpat/libexpat/pull/758 - https://github.com/libexpat/libexpat/pull/757 - https://github.com/libexpat/libexpat/pull/755 - https://github.com/libexpat/libexpat/pull/753 - https://github.com/libexpat/libexpat/pull/745
Have you been able to progress any further towards a submission, David ?
Thank you for the updates, guys.
This is an autogenerated message for OBS integration: This bug (1219559) was mentioned in https://build.opensuse.org/request/show/1160579 Factory / python310 https://build.opensuse.org/request/show/1160580 Factory / python39 https://build.opensuse.org/request/show/1160582 Factory / python38
This is an autogenerated message for OBS integration: This bug (1219559) was mentioned in https://build.opensuse.org/request/show/1161042 Factory / python39
This is an autogenerated message for OBS integration: This bug (1219559) was mentioned in https://build.opensuse.org/request/show/1161074 Factory / python310
SUSE-SU-2024:1009-1: An update that solves three vulnerabilities and has one security fix can now be installed. Category: security (important) Bug References: 1211301, 1219559, 1219666, 1221854 CVE References: CVE-2023-52425, CVE-2023-6597, CVE-2024-0450 Maintenance Incident: [SUSE:Maintenance:33053](https://smelt.suse.de/incident/33053/) Sources used: openSUSE Leap 15.3 (src): python39-3.9.19-150300.4.41.1, python39-documentation-3.9.19-150300.4.41.1, python39-core-3.9.19-150300.4.41.2 openSUSE Leap 15.5 (src): python39-3.9.19-150300.4.41.1, python39-documentation-3.9.19-150300.4.41.1, python39-core-3.9.19-150300.4.41.2 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): python39-3.9.19-150300.4.41.1, python39-core-3.9.19-150300.4.41.2 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): python39-3.9.19-150300.4.41.1, python39-core-3.9.19-150300.4.41.2 SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): python39-3.9.19-150300.4.41.1, python39-core-3.9.19-150300.4.41.2 SUSE Enterprise Storage 7.1 (src): python39-3.9.19-150300.4.41.1, python39-core-3.9.19-150300.4.41.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:1129-1: An update that solves two vulnerabilities can now be installed. Category: security (important) Bug References: 1219559, 1221289 CVE References: CVE-2023-52425, CVE-2024-28757 Maintenance Incident: [SUSE:Maintenance:32868](https://smelt.suse.de/incident/32868/) Sources used: openSUSE Leap 15.4 (src): expat-2.4.4-150400.3.17.1 openSUSE Leap Micro 5.3 (src): expat-2.4.4-150400.3.17.1 openSUSE Leap Micro 5.4 (src): expat-2.4.4-150400.3.17.1 openSUSE Leap 15.5 (src): expat-2.4.4-150400.3.17.1 SUSE Linux Enterprise Micro for Rancher 5.3 (src): expat-2.4.4-150400.3.17.1 SUSE Linux Enterprise Micro 5.3 (src): expat-2.4.4-150400.3.17.1 SUSE Linux Enterprise Micro for Rancher 5.4 (src): expat-2.4.4-150400.3.17.1 SUSE Linux Enterprise Micro 5.4 (src): expat-2.4.4-150400.3.17.1 SUSE Linux Enterprise Micro 5.5 (src): expat-2.4.4-150400.3.17.1 Basesystem Module 15-SP5 (src): expat-2.4.4-150400.3.17.1 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src): expat-2.4.4-150400.3.17.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src): expat-2.4.4-150400.3.17.1 SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (src): expat-2.4.4-150400.3.17.1 SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src): expat-2.4.4-150400.3.17.1 SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src): expat-2.4.4-150400.3.17.1 SUSE Manager Proxy 4.3 (src): expat-2.4.4-150400.3.17.1 SUSE Manager Retail Branch Server 4.3 (src): expat-2.4.4-150400.3.17.1 SUSE Manager Server 4.3 (src): expat-2.4.4-150400.3.17.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:1162-1: An update that solves three vulnerabilities and has two security fixes can now be installed. Category: security (important) Bug References: 1189495, 1211301, 1219559, 1219666, 1221854 CVE References: CVE-2023-52425, CVE-2023-6597, CVE-2024-0450 Maintenance Incident: [SUSE:Maintenance:33187](https://smelt.suse.de/incident/33187/) Sources used: openSUSE Leap 15.4 (src): python310-documentation-3.10.14-150400.4.45.1, python310-3.10.14-150400.4.45.1, python310-core-3.10.14-150400.4.45.1 openSUSE Leap 15.5 (src): python310-documentation-3.10.14-150400.4.45.1, python310-3.10.14-150400.4.45.1, python310-core-3.10.14-150400.4.45.1 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src): python310-3.10.14-150400.4.45.1, python310-core-3.10.14-150400.4.45.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src): python310-3.10.14-150400.4.45.1, python310-core-3.10.14-150400.4.45.1 SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (src): python310-3.10.14-150400.4.45.1, python310-core-3.10.14-150400.4.45.1 SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src): python310-3.10.14-150400.4.45.1, python310-core-3.10.14-150400.4.45.1 SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src): python310-3.10.14-150400.4.45.1, python310-core-3.10.14-150400.4.45.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
This is an autogenerated message for OBS integration: This bug (1219559) was mentioned in https://build.opensuse.org/request/show/1166947 Factory / python312
SUSE-SU-2024:1556-1: An update that solves three vulnerabilities and has three security fixes can now be installed. Category: security (important) Bug References: 1189495, 1211301, 1219559, 1219666, 1221260, 1221854 CVE References: CVE-2023-52425, CVE-2023-6597, CVE-2024-0450 Maintenance Incident: [SUSE:Maintenance:33618](https://smelt.suse.de/incident/33618/) Sources used: openSUSE Leap 15.4 (src): python311-3.11.9-150400.9.26.1, python311-core-3.11.9-150400.9.26.1, python311-documentation-3.11.9-150400.9.26.1 openSUSE Leap 15.5 (src): python311-3.11.9-150400.9.26.1, python311-core-3.11.9-150400.9.26.1, python311-documentation-3.11.9-150400.9.26.1 Public Cloud Module 15-SP4 (src): python311-3.11.9-150400.9.26.1, python311-core-3.11.9-150400.9.26.1 Python 3 Module 15-SP5 (src): python311-3.11.9-150400.9.26.1, python311-core-3.11.9-150400.9.26.1, python311-documentation-3.11.9-150400.9.26.1 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src): python311-3.11.9-150400.9.26.1, python311-core-3.11.9-150400.9.26.1, python311-documentation-3.11.9-150400.9.26.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src): python311-3.11.9-150400.9.26.1, python311-core-3.11.9-150400.9.26.1, python311-documentation-3.11.9-150400.9.26.1 SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (src): python311-3.11.9-150400.9.26.1, python311-core-3.11.9-150400.9.26.1, python311-documentation-3.11.9-150400.9.26.1 SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src): python311-3.11.9-150400.9.26.1, python311-core-3.11.9-150400.9.26.1, python311-documentation-3.11.9-150400.9.26.1 SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src): python311-3.11.9-150400.9.26.1, python311-core-3.11.9-150400.9.26.1, python311-documentation-3.11.9-150400.9.26.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
This is an autogenerated message for OBS integration: This bug (1219559) was mentioned in https://build.opensuse.org/request/show/1173435 Factory / python
SUSE-SU-2024:1657-1: An update that solves one vulnerability can now be installed. Category: security (moderate) Bug References: 1219559 CVE References: CVE-2023-52425 Maintenance Incident: [SUSE:Maintenance:33811](https://smelt.suse.de/incident/33811/) Sources used: Web and Scripting Module 12 (src): python3-base-3.4.10-25.127.1, python3-3.4.10-25.127.1 SUSE Linux Enterprise Software Development Kit 12 SP5 (src): python3-base-3.4.10-25.127.1, python3-3.4.10-25.127.1 SUSE Linux Enterprise High Performance Computing 12 SP5 (src): python3-base-3.4.10-25.127.1, python3-3.4.10-25.127.1 SUSE Linux Enterprise Server 12 SP5 (src): python3-base-3.4.10-25.127.1, python3-3.4.10-25.127.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): python3-base-3.4.10-25.127.1, python3-3.4.10-25.127.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:1667-1: An update that solves three vulnerabilities and has two security fixes can now be installed. Category: security (moderate) Bug References: 1214675, 1219306, 1219559, 1220970, 1222537 CVE References: CVE-2022-48560, CVE-2023-27043, CVE-2023-52425 Maintenance Incident: [SUSE:Maintenance:33822](https://smelt.suse.de/incident/33822/) Sources used: SUSE Linux Enterprise Workstation Extension 12 12-SP5 (src): python-base-2.7.18-33.32.1 SUSE Linux Enterprise High Performance Computing 12 SP5 (src): python-2.7.18-33.32.1, python-doc-2.7.18-33.32.1, python-base-2.7.18-33.32.1 SUSE Linux Enterprise Server 12 SP5 (src): python-2.7.18-33.32.1, python-doc-2.7.18-33.32.1, python-base-2.7.18-33.32.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): python-2.7.18-33.32.1, python-doc-2.7.18-33.32.1, python-base-2.7.18-33.32.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:1698-1: An update that solves one vulnerability can now be installed. Category: security (moderate) Bug References: 1219559 CVE References: CVE-2023-52425 Maintenance Incident: [SUSE:Maintenance:33868](https://smelt.suse.de/incident/33868/) Sources used: openSUSE Leap 15.4 (src): python310-core-3.10.14-150400.4.48.1, python310-documentation-3.10.14-150400.4.48.1, python310-3.10.14-150400.4.48.1 openSUSE Leap 15.5 (src): python310-core-3.10.14-150400.4.48.1, python310-documentation-3.10.14-150400.4.48.1, python310-3.10.14-150400.4.48.1 openSUSE Leap 15.6 (src): python310-core-3.10.14-150400.4.48.1, python310-documentation-3.10.14-150400.4.48.1, python310-3.10.14-150400.4.48.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:1774-1: An update that solves two vulnerabilities and has three security fixes can now be installed. Category: security (important) Bug References: 1219559, 1220664, 1221563, 1221854, 1222075 CVE References: CVE-2023-52425, CVE-2024-0450 Maintenance Incident: [SUSE:Maintenance:33975](https://smelt.suse.de/incident/33975/) Sources used: SUSE Linux Enterprise Micro 5.1 (src): python3-3.6.15-150000.3.147.1, python3-core-3.6.15-150000.3.147.1 SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): python3-3.6.15-150000.3.147.1, python3-core-3.6.15-150000.3.147.1 SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): python3-3.6.15-150000.3.147.1, python3-core-3.6.15-150000.3.147.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): python3-3.6.15-150000.3.147.1, python3-core-3.6.15-150000.3.147.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:1847-1: An update that solves four vulnerabilities and has four security fixes can now be installed. Category: security (important) Bug References: 1214691, 1219559, 1219666, 1220664, 1221563, 1221854, 1222075, 1222109 CVE References: CVE-2022-48566, CVE-2023-52425, CVE-2023-6597, CVE-2024-0450 Maintenance Incident: [SUSE:Maintenance:33972](https://smelt.suse.de/incident/33972/) Sources used: SUSE Linux Enterprise Software Development Kit 12 SP5 (src): python36-core-3.6.15-55.1 SUSE Linux Enterprise High Performance Computing 12 SP5 (src): python36-core-3.6.15-55.1, python36-3.6.15-55.1 SUSE Linux Enterprise Server 12 SP5 (src): python36-core-3.6.15-55.1, python36-3.6.15-55.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): python36-core-3.6.15-55.1, python36-3.6.15-55.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:2479-1: An update that solves four vulnerabilities and has three security fixes can now be installed. Category: security (important) Bug References: 1219559, 1220664, 1221563, 1221854, 1222075, 1226447, 1226448 CVE References: CVE-2023-52425, CVE-2024-0397, CVE-2024-0450, CVE-2024-4032 Maintenance Incident: [SUSE:Maintenance:33974](https://smelt.suse.de/incident/33974/) Sources used: openSUSE Leap 15.3 (src): python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2, python3-documentation-3.6.15-150300.10.65.1 openSUSE Leap Micro 5.3 (src): python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2 openSUSE Leap Micro 5.4 (src): python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2 openSUSE Leap 15.5 (src): python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2, python3-documentation-3.6.15-150300.10.65.1 openSUSE Leap 15.6 (src): python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2, python3-documentation-3.6.15-150300.10.65.1 SUSE Linux Enterprise Micro for Rancher 5.3 (src): python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2 SUSE Linux Enterprise Micro 5.3 (src): python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2 SUSE Linux Enterprise Micro for Rancher 5.4 (src): python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2 SUSE Linux Enterprise Micro 5.4 (src): python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2 SUSE Linux Enterprise Micro 5.5 (src): python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2 Basesystem Module 15-SP5 (src): python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2 Basesystem Module 15-SP6 (src): python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2 Development Tools Module 15-SP5 (src): python3-core-3.6.15-150300.10.65.1 Development Tools Module 15-SP6 (src): python3-core-3.6.15-150300.10.65.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src): python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2 SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src): python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2 SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (src): python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2 SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src): python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2 SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2 SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src): python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2 SUSE Manager Proxy 4.3 (src): python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2 SUSE Manager Retail Branch Server 4.3 (src): python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2 SUSE Manager Server 4.3 (src): python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2 SUSE Enterprise Storage 7.1 (src): python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2 SUSE Linux Enterprise Micro 5.2 (src): python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2 SUSE Linux Enterprise Micro for Rancher 5.2 (src): python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.