CLSA-2022-1660760528
See a problem?- Import Source
- https://github.com/cloudlinux/tuxcare-osv/tree/main/data/els_os/ubuntu16.04els/CLSA-2022-1660760528.json
- JSON Data
- https://api.osv.dev/v1/vulns/CLSA-2022-1660760528
- Upstream
- Published
- 2022-08-17T18:22:08Z
- Modified
- 2026-06-04T10:04:12.695059494Z
- Summary
- Fix CVE(s): CVE-2022-25235, CVE-2022-23990, CVE-2022-22825, CVE-2022-22824, CVE-2022-23852, CVE-2022-25315, CVE-2022-25236, CVE-2021-46143, CVE-2022-25313, CVE-2021-45960, CVE-2022-22826, CVE-2022-22827, CVE-2022-22822, CVE-2022-22823
- Details
-
- SECURITY UPDATE: Stack exhaustion
- debian/patches/CVE-2022-25313.patch: prevent stack exhaustion in build_model in expat/lib/xmlparse.c.
- debian/patches/fix-buildmodel-regression.patch: fix buildmodel regression in expat/lib/xmlparse.c.
- CVE-2022-25313
- SECURITY UPDATE: Integer overflow
- debian/patches/CVE-2022-25315.patch: prevent integer overflow in storeRawNames in expat/lib/xmlparse.c.
- CVE-2022-25315
- SECURITY UPDATE: relax fix to CVE-2022-25236 with regard to
RFC 3986 URI characters and possibly regressions
- debian/patches/CVE-2022-25236-3.patch: add a note on namespace URI validation in expat/doc/reference.html, expat/lib/expat.h.
- debian/patches/CVE-2022-25236-4.patch: document namespace separator effect right in header expat/lib/expat.h.
- debian/patches/CVE-2022-25236-5.patch: cover relaxed fix in tests.
- debian/patches/CVE-2022-25236-6.patch: relax fix with regard to RFC 3986 URI characters in expat/lib/xmlparse.c. (LP: #1963903)
- fix tests adding XCS definition
- debian/patches/fixtestxcs.patch: in tests/runtests.c.
- SECURITY UPDATE: Realloc misbehavior
- debian/patches/CVE-2021-45960.patch: detect and prevent troublesome left shifts in function storeAtts in lib/xmlparse.c.
- CVE-2021-45960
- SECURITY UPDATE: Integer overflow
- debian/patches/CVE-2021-46143.patch: prevent integer overflow on m_groupSize in function doProlog in lib/xmlparse.c.
- CVE-2021-46143
- SECURITY UPDATE: Integer overflow
- debian/patches/CVE-2022-22822-to-CVE-2022-22827.patch: prevent integer overflow in multiple places in lib/xmlparse.c.
- CVE-2022-22822
- CVE-2022-22823
- CVE-2022-22824
- CVE-2022-22825
- CVE-2022-22826
- CVE-2022-22827
- SECURITY UPDATE: Signed integer overflow
- debian/patches/CVE-2022-23852-*.patch: detect and prevent integer overflow in XML_GetBuffer in expat/lib/xmlparse.c and adds test to cover it in tests/runtests.c.
- CVE-2022-23852
- SECURITY UPDATE: Integer overflow
- debian/patches/CVE-2022-23990.patch: prevent integer overflow in doProlog in lib/xmlparse.c.
- CVE-2022-23990
- SECURITY UPDATE: Incomplete validation encoding
- debian/patches/CVE-2022-25235-*.patch: adds missing validation and adds tests in expat/lib/xmltok_impl.c, expat/tests/runtests.c.
- CVE-2022-25235
- SECURITY UPDATE: Namespace-separator insertions
- debian/patches/CVE-2022-25236-*.patch: Protect against malicious namespace declarations in expat/lib/xmlparse.c, expat/tests/runtests.c.
- CVE-2022-25236
- debian/patches/fixing_tests.patch: fixing tests in order to it work in xenial and oldest releases.
- SECURITY UPDATE: Stack exhaustion
- References
Affected packages
TuxCare:Ubuntu:16.04 / expat
Package
- Name
- expat
- Purl
- pkg:deb/tuxcare/expat?distro=ubuntu-16.04
TuxCare:Ubuntu:16.04 / libexpat1
Package
- Name
- libexpat1
- Purl
- pkg:deb/tuxcare/libexpat1?distro=ubuntu-16.04