Thursday, September 12, 2024

[USN-7001-1] xmltok library vulnerabilities

-----BEGIN PGP SIGNATURE-----

wsD5BAABCAAjFiEEcxdv4gCCE8W9nrt5a1+PL+d1/EgFAmbi6OoFAwAAAAAACgkQa1+PL+d1/Eh9
Tgv+M8z/ziII8oAYwj6BzCUHlageGzBfH5EbaBXalg1W9U3H7OwrjIbcUE9JFN5ofn0mgeUURIwa
WCLoeW/InVpRBsxoUF7e1u/OTJa06AAVIYX/4mZxzndbOdlsqqK2UunjfrmXIwAbS6qLtnCDyrnr
H0izcJCS9IK8N1EuYUCU3D4Z1fdEq/a3osJg6IHDbKQRazDX7hgSsWUHZXBNanGPHiNVPlHb95lv
6SH59TRhsfHRYN9etPinCT7soIgx9lzXijm0moLCj344RlRmi34xt9FyPeMPZ8/xY354fbhK688A
7A0Bb3OGRNNJT9Z26FlPQLrHld36kB6QhpQAkUC9GTljwvlOTzGO2Cj+DPFKxOALoze2YaE/wfEz
EHb+Y8FT53Izz/rYvzEfhndIKp/FuMJOn2RrgBbxQbXCSCePLdTAj5DrRGWlcKWs7jB7INFAbsAs
dhlODN+Q62kMXeJJkknQKEvFKC1Bplto0OAwQA/aygh+HkwEbTS3DEIe/8S0
=e5+Y
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-7001-1
September 12, 2024

libxmltok vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS

Summary:

Several security issues were fixed in libxmltok.

Software Description:
- libxmltok: XML Parser Toolkit, runtime libraries

Details:

Shang-Hung Wan discovered that Expat, contained within the xmltok library,
did not properly handle certain function calls when a negative input length
was provided. An attacker could use this issue to cause a denial of service
or possibly execute arbitrary code. (CVE-2024-45490)

Shang-Hung Wan discovered that Expat, contained within the xmltok library,
did properly handle the potential for an integer overflow on 32-bit
platforms. An attacker could use this issue to cause a denial of service or
possibly execute arbitrary code. (CVE-2024-45491)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.04 LTS
  libxmltok1                      1.2-4ubuntu0.22.04.1~esm3
                                  Available with Ubuntu Pro

Ubuntu 20.04 LTS
  libxmltok1                      1.2-4ubuntu0.20.04.1~esm3
                                  Available with Ubuntu Pro

Ubuntu 18.04 LTS
  libxmltok1                      1.2-4ubuntu0.18.04.1~esm3
                                  Available with Ubuntu Pro

Ubuntu 16.04 LTS
  libxmltok1                      1.2-3ubuntu0.16.04.1~esm4
                                  Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-7001-1
  CVE-2024-45490, CVE-2024-45491

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)