Expat 2.6.2 released, includes security fixes

For readers new to Expat: libexpat is a fast streaming XML parser. Alongside libxml2, Expat is one of the most widely used software libre XML parsers written in C, precisely C99. It is cross-platform and licensed under the MIT license.

Expat 2.6.2 has been released earlier today. This release is the first with a detailed call-for-help banner at the top of the change log — something will have to change. It has literally been said to me that "XKCD 2347 is libexpat". If your employer or business depends on the security of Expat — if, for example, you use Expat to parse input from uploaded files or the network, directly or through another library or application — please make sure this gets the needed attention — thanks!

Regarding actual release content, most importantly, this release fixes security issue CVE-2024-28757 that can be used to cause denial of service for code like…

XML_Parser parser = XML_ParserCreate(NULL); XML_Parser ext_parser = XML_ExternalEntityParserCreate(parser, NULL, NULL); enum XML_Status status = XML_Parse(ext_parser, doc, (int)strlen(doc), XML_TRUE);

…where all input is sent to the external parser and none to the parent regular parser.
The commit message of commit 1d50b80cf31de87750103656f6eb693746854aa8 explains the problem and solution in more detail.

There is also a bugfix to reject direct parameter entity recursion and also to avoid the related undefined behavior. The fact that this has gone unreported for 20+ years speaks volumes about the value of fuzzing, because ClusterFuzz/OSS-Fuzz is in fact how this issue was uncovered a few days ago.

For more details, please check out the change log.

If you maintain Expat packaging or a bundled copy of Expat or a pinned version of Expat somewhere, please update to 2.6.2. Thank you!

Sebastian Pipping

This article first appeared at blog.hartwork.org.