FreeBSD Errata Notice FreeBSD-EN-25:05.expat
10 April, 2025 by errata-notices@freebsd.org | freebsd
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-EN-25:05.expat Errata Notice
The FreeBSD Project
Topic: Update expat to 2.7.1
Category: contrib
Module: libbsdxml
Announced: 2025-04-10
Affects: All supported versions of FreeBSD.
Corrected: 2025-04-07 03:39:34 UTC (stable/14, 14.2-STABLE)
2025-04-10 14:57:40 UTC (releng/14.2, 14.2-RELEASE-p3)
2025-04-07 03:41:14 UTC (stable/13, 13.5-STABLE)
2025-04-10 14:59:02 UTC (releng/13.5, 13.5-RELEASE-p1)
2025-04-10 14:59:36 UTC (releng/13.4, 13.4-RELEASE-p5)
CVE Name: CVE-2024-8176
For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:https://security.FreeBSD.org/>.
I. Background
Expat is an XML parser library written in C. It is a stream-oriented
parser in which an application registers handlers for things the parser
might find in the XML document (like start tags).
The FreeBSD base system ships libexpat as libbsdxml for components that
need to parse XML data. Some of these applications use the XML parser
on trusted data from the kernel, for instance the geom(8) configuration
utilities, while other applications, like tar(1), cpio(1) and
unbound-anchor(8), may use the XML parser on input from network or the
user.
II. Problem Description
A stack overflow bug exists in the libexpat library due to the way it
handles recursive entity expansion in XML documents. When parsing an
XML document with deeply nested entity references, libexpat can be
forced to recurse indefinitely, exhausting the stack space and causing a
crash.
III. Impact
This stack overflow could cause e.g. tar(1) to crash. Owing to the
limited number of ways libbsdxml is used in FreeBSD, the base system is
not likely to be vulnerable to denial of service (DoS) or exploitable memory
corruption.
IV. Workaround
No workaround is available, but the problem only manifests when the
affected system needs to process data from an untrusted source.
Because the library is used by many third party applications, we advise
system administrators to check and make sure that they have the latest
expat version as well, and restart all third party services, or reboot
the system.
V. Solution
Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date.
Perform one of the following:
1) To update your system via a binary patch:
Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8)
utility:
# freebsd-update fetch
# freebsd-update install
2) To update your system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 13.4, 14.2]
# fetch https://security.FreeBSD.org/patches/EN-25:05/expat-13.4-14.2.patch
# fetch https://security.FreeBSD.org/patches/EN-25:05/expat-13.4-14.2.patch.asc
# gpg --verify expat-13.4-14.2.patch.asc
[FreeBSD 13.5]
# fetch https://security.FreeBSD.org/patches/EN-25:05/expat-13.5.patch
# fetch https://security.FreeBSD.org/patches/EN-25:05/expat-13.5.patch.asc
# gpg --verify expat-13.5.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch -E < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
The FreeBSD base system does not install daemons that use the library.
A reboot is not required after updating the base system.
VI. Correction details
This issue is corrected as of the corresponding Git commit hash in the
following stable and release branches:
Branch/path Hash Revision
- -------------------------------------------------------------------------
stable/14/ fd4592006b13 stable/14-n271000
releng/14.2/ 700e7384dfbf releng/14.2-n269520
stable/13/ 5630672e6f6d stable/13-n259244
releng/13.5/ dec0bf8096b3 releng/13.5-n259164
releng/13.4/ e3fd2734314d releng/13.4-n258281
- -------------------------------------------------------------------------
Run the following command to see which files were modified by a
particular commit:
# git show --stat <commit hash>
Or visit the following URL, replacing NNNNNN with the hash:
<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
To determine the commit count in a working tree (for comparison against
nNNNNNN in the table above), run:
# git rev-list --count --first-parent HEAD
VII. References
<URL:https://github.com/libexpat/libexpat/issues/893>
<URL:https://github.com/libexpat/libexpat/issues/973>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-25:05.expat.asc>
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmf38DUACgkQbljekB8A
Gu8jQA/6AtsNwonBza6fjbkQaDeGbyEn2agOvkZ8R0tF+QKnYLVt63O52r9VmTeG
s5/yLjcXKqo4Bnk9x3+BiDzA6x2LQrma8QRuvz+eLrRyGK2Ux0L5py0lNb9CqTsc
/jS+5dU18nOA4v9P+UMj6NWXAxlgJ3LVVGgSLZxjXLkyZHzzUnQHiQnY4DeWzAh6
tTY/EeNjVd3LPIDmpomHSsrt+ayD13+SNdADNWY3mColCS4ew8duiOIoACpj8J99
LI6hfUjninjmkPbgUmRnX5akh35uxcOhANFuyHlr5GMsh/h76BJ1FT64oZtBwWTQ
Zy/hF6fBOb42NJMUuIu7yNEgYg2Yb8fgb0+zfFtBih5U/KBGD/yD3mst3lAAVPZS
Q25e3U9zbyVyykZg5RdKVWy1PSI2FG7uNb+f1Jz8xPPgcCF9edjJLHD2lcTZVprR
bJPeFXf5MJjgzSafLxon4jA/6rnoqUaML1Cbi6DIVhC4hgsBCzMzcTedo7gjP6Ab
6c6msxXLha0Q7eBUH10uoh+I91AMERBJZpEEaX8PN9GtRZi+lvn04GW2UbjRnBpY
eKL/9RGeW8WRMwwututtzSbFLk8iSzcOto2iVClkkybOQAau78kTpnMhGyRav/UQ
zezIRE2X/Ob34wZK3WxQRGuIVx40Ci0ZNly2w6wRTmak9twgP6U=9pZP
-----END PGP SIGNATURE-----