ALAS-2022-1603

Amazon Linux 1 Security Advisory: ALAS-2022-1603
Advisory Release Date: 2022-06-30 23:38 Pacific
Advisory Updated Date: 2022-07-07 00:01 Pacific

Severity: Medium

References: CVE-2021-46143 CVE-2022-22822 CVE-2022-22823 CVE-2022-22824 CVE-2022-22825 CVE-2022-22826 CVE-2022-22827
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

In doProlog in xmlparse.c in Expat (aka libexpat) before 2.4.3, an integer overflow exists for m_groupSize. (CVE-2021-46143)

addBinding in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. (CVE-2022-22822)

build_model in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. (CVE-2022-22823)

defineAttribute in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. (CVE-2022-22824)

lookup in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. (CVE-2022-22825)

nextScaffoldPart in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. (CVE-2022-22826)

storeAtts in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. (CVE-2022-22827)

Affected Packages:

expat

Issue Correction:
Run yum update expat to update your system.

New Packages:

i686:
    expat-devel-2.1.0-14.31.amzn1.i686
    expat-debuginfo-2.1.0-14.31.amzn1.i686
    expat-2.1.0-14.31.amzn1.i686

src:
    expat-2.1.0-14.31.amzn1.src

x86_64:
    expat-devel-2.1.0-14.31.amzn1.x86_64
    expat-debuginfo-2.1.0-14.31.amzn1.x86_64
    expat-2.1.0-14.31.amzn1.x86_64

Additional References

Red Hat: CVE-2021-46143, CVE-2022-22822, CVE-2022-22823, CVE-2022-22824, CVE-2022-22825, CVE-2022-22826, CVE-2022-22827

Mitre: CVE-2021-46143, CVE-2022-22822, CVE-2022-22823, CVE-2022-22824, CVE-2022-22825, CVE-2022-22826, CVE-2022-22827