Laeborari ea Expat 2.4.5, e neng e sebelisetsoa ho hlalosa sebopeho sa XML mererong e mengata, ho kenyeletsoa Apache httpd, OpenOffice, LibreOffice, Firefox, Chromium, Python le Wayland, e felisa likotsi tse hlano tse kotsi, tse 'nè tsa tsona li ka u lumellang ho hlophisa ts'ebetso ea khoutu ea hau. ha o sebetsana le data ea XML e etselitsoeng ka ho khetheha lits'ebetsong u sebelisa libexpat. Bakeng sa bofokoli ba bobeli, ho tlalehoa liketso tse sebetsang. U ka latela likhatiso tsa lintlafatso tsa liphutheloana kabong maqepheng ana Debian, SUSE, Ubuntu, RHEL, Fedora, Gentoo, Arch Linux.
Bofokoli bo bonts'itsoeng:
- CVE-2022-25235 - Buffer e phalla ka lebaka la tlhahlobo e fosahetseng ea khouto ea litlhaku tsa Unicode, tse ka lebisang (ho na le ts'ebetso) ho ts'ebetsong ea khoutu ha o sebetsana le tatellano e hlophisitsoeng e khethehileng ea 2- le 3-byte UTF-8 litlhaku ho XML. mabitso a tag.
- CVE-2022-25236 - Monyetla oa ho fetolela litlhaku tsa delimiter sebakeng sa mabitso ho boleng ba "xmlns[:prefix]" ho URI. Ho ba kotsing ho u lumella ho hlophisa ts'ebetso ea khoutu ha u sebetsana le data ea bahlaseli (ts'ebetso e teng).
- CVE-2022-25313 Ho felloa ke matla ha stack ho etsahala ha ho phunya "doctype" (DTD) block, joalo ka ha e bonoa lifaeleng tse kholo ho feta 2 MB tse kenyelletsang palo e kholo haholo ea masaka a bulehileng. Ho ka etsahala hore bofokoli bo ka sebelisoa ho hlophisa ts'ebetsong ea khoutu ea hau tsamaisong.
- CVE-2022-25315 ke palo e felletseng ea ts'ebetso ea storeRawNames e hlahang feela lits'ebetsong tsa 64-bit mme e hloka ho sebetsa li-gigabyte tsa data. Ho ka etsahala hore bofokoli bo ka sebelisoa ho hlophisa ts'ebetsong ea khoutu ea hau tsamaisong.
- CVE-2022-25314 ke palo e felletseng ea ts'ebetso ea copyString e hlahang feela lits'ebetsong tsa 64-bit mme e hloka ho sebetsana le li-gigabyte tsa data. Bothata bo ka fella ka ho haneloa ha tšebeletso.
Source: opennet.ru