Closed Bug 1217609 Opened 9 years ago Closed 3 years ago

Multiple invalid left shifts in libexpat

Categories

(Core :: XML, defect)

Product:
Core
Component:
XML
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1754724
Tracking Flags:
Tracking Status
firefox-esr91 --- fixed
firefox96 --- wontfix
firefox97 --- wontfix
firefox98 --- fixed
firefox99 --- fixed

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug,
URL
)

Details

(Keywords: csectype-undefined, sec-low)

Attachments

(1 file, 2 obsolete files)

ubsan_results.txt
(deleted), text/plain
Details
Attached file ubsan_results.txt (deleted) —
While fuzzing libexpat (2.1.0) I came a across a number of invalid left shifts. I will attach the fixes I made to get past these errors. Please feel free to use these.

Can you file a bug in the Expat tracker (https://github.com/libexpat/libexpat) for the patch in xmlparse.c? The problems addressed in the patch for xmltok.c have been fixed in https://sourceforge.net/p/expat/bugs/529/.

Flags: needinfo?(twsmith)

Fixes are available. Upstream issue: https://github.com/libexpat/libexpat/issues/531

Commit 2106ee4 addresses the issues in xmlparse.c

Blocks: ubsan
Group: dom-core-security
Flags: needinfo?(twsmith) → needinfo?(peterv)
Keywords: csectype-undefined
Attachment #8677720 - Attachment is obsolete: true
Attachment #8677719 - Attachment is obsolete: true

Tyson, FYI I have just requested a CVE for the 2 unfixed cases from Mitre.

Note: Bug 1688452 sandboxes Expat via RLBox

Doesn't sound easy to exploit, so I'll mark it sec-low. Only 91 is really affected from a sec perspective due to RLBox, but we should fix it on Nightly at least.

status-firefox44: affected → ---
status-firefox96: --- → disabled
status-firefox97: --- → affected
status-firefox98: --- → affected
status-firefox-esr91: --- → affected
Keywords: sec-low

Does it make more sense to move status-firefox97 to disabled due to RLBox, too?

I think I meant to mark it wontfix, not disabled.

status-firefox96: disabledwontfix

Glad we have rlbox \o/

FWIW, it has been uploaded in Debian old old stable:
https://tracker.debian.org/news/1299039/accepted-expat-220-2deb9u4-source-into-oldoldstable/

The xmltok.c issue was fixed a while ago in bug 1374012.
The xmlparse.c issue is CVE-2021-45960 and was fixed in bug 1754724.

Status: NEW → RESOLVED
Closed: 3 years ago
Flags: needinfo?(peterv)
Resolution: --- → DUPLICATE
Group: dom-core-security → core-security-release
status-firefox98: wontfixfixed
status-firefox99: affectedfixed
status-firefox-esr91: affectedfixed
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: