Slackware Security Advisories
Slackware Logo

News

Security Advisories

FAQ

Book

General Info

Get Slack

Install Help

Configuration

Packages

ChangeLogs

Propaganda

Ports

Other Sites

Support

Contact

Mailing Lists

About

 
From: Slackware Security Team <security@slackware.com>
To: slackware-security@slackware.com
Subject: [slackware-security] expat (SSA:2022-016-01)
Date: Sun, 16 Jan 2022 13:48:11 -0800 (PST)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[slackware-security]  expat (SSA:2022-016-01)

New expat packages are available for Slackware 14.0, 14.1, 14.2, and -current to
fix security issues.


Here are the details from the Slackware 14.2 ChangeLog:
+--------------------------+
patches/packages/expat-2.4.3-i586-1_slack14.2.txz:  Upgraded.
  Fix issues with left shifts by >=29 places resulting in:
    a) realloc acting as free
    b) realloc allocating too few bytes
    c) undefined behavior
  Fix integer overflow on variable m_groupSize in function doProlog leading
  to realloc acting as free. Impact is denial of service or other undefined
  behavior.
  Prevent integer overflows near memory allocation at multiple places.
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45960
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-46143
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22822
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22823
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22824
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22825
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22826
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22827
  (* Security fix *)
+--------------------------+


Where to find the new packages:
+-----------------------------+

Thanks to the friendly folks at the OSU Open Source Lab
(http://osuosl.org) for donating FTP and rsync hosting
to the Slackware project!  :-)

Also see the "Get Slack" section on http://slackware.com for
additional mirror sites near you.

Updated package for Slackware 14.0:
ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/expat-2.4.3-i486-1_slack14.0.txz

Updated package for Slackware x86_64 14.0:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/expat-2.4.3-x86_64-1_slack14.0.txz

Updated package for Slackware 14.1:
ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/expat-2.4.3-i486-1_slack14.1.txz

Updated package for Slackware x86_64 14.1:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/expat-2.4.3-x86_64-1_slack14.1.txz

Updated package for Slackware 14.2:
ftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/expat-2.4.3-i586-1_slack14.2.txz

Updated package for Slackware x86_64 14.2:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/expat-2.4.3-x86_64-1_slack14.2.txz

Updated package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/l/expat-2.4.3-i586-1.txz

Updated package for Slackware x86_64 -current:
ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/l/expat-2.4.3-x86_64-1.txz


MD5 signatures:
+-------------+

Slackware 14.0 package:
221489b3cc531df86e938f4b5f86f333  expat-2.4.3-i486-1_slack14.0.txz

Slackware x86_64 14.0 package:
567acea852c48adddc4ddb54d7d31b8c  expat-2.4.3-x86_64-1_slack14.0.txz

Slackware 14.1 package:
955d3d04dbe44c58328003e29ab83cef  expat-2.4.3-i486-1_slack14.1.txz

Slackware x86_64 14.1 package:
cdedf19fe237eb09786d54c8295658fc  expat-2.4.3-x86_64-1_slack14.1.txz

Slackware 14.2 package:
dc1121c0f3c2e331ee162586103bc61d  expat-2.4.3-i586-1_slack14.2.txz

Slackware x86_64 14.2 package:
0476a33c23c7398cce3f48c508538d56  expat-2.4.3-x86_64-1_slack14.2.txz

Slackware -current package:
170535aa026a821b7434a3a4a6987b41  l/expat-2.4.3-i586-1.txz

Slackware x86_64 -current package:
6b978051bba045d94e53890bc5289f49  l/expat-2.4.3-x86_64-1.txz


Installation instructions:
+------------------------+

Upgrade the package as root:
# upgradepkg expat-2.4.3-i586-1_slack14.2.txz


+-----+

Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com

+------------------------------------------------------------------------+
| To leave the slackware-security mailing list:                          |
+------------------------------------------------------------------------+
| Send an email to majordomo@slackware.com with this text in the body of |
| the email message:                                                     |
|                                                                        |
|   unsubscribe slackware-security                                       |
|                                                                        |
| You will get a confirmation message back containing instructions to    |
| complete the process.  Please do not reply to this email address.      |
+------------------------------------------------------------------------+
-----BEGIN PGP SIGNATURE-----

iEYEARECAAYFAmHkjZkACgkQakRjwEAQIjP5DgCdEyMgZ1Xt0QDAbvci+BMLhhH8
LqcAoI9NLG98BcJPy/M12q1UNOCohmid
=7DsO
-----END PGP SIGNATURE-----

Slackware™ is a trademark of Patrick Volkerding.