Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Libexpat before 2.4.5 contains a CVE #76

Open
esnible opened this issue Jun 10, 2023 · 1 comment
Open

Libexpat before 2.4.5 contains a CVE #76

esnible opened this issue Jun 10, 2023 · 1 comment

Comments

@esnible
Copy link

esnible commented Jun 10, 2023
edited
Loading

The "Mend" tool complains about a CVE in the embedded version of Expat. Consider replacing the current Expat source with newer version.

The claim is that

  • xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of encoding, such as checks for whether a UTF-8 character is valid in a certain context.

Here is Expat's fix of the issue

Go-graphviz is using this version

Related: #42 (comment)
@Alex-Tsekhansky-IBM
Copy link

I'd like to add that the scanner noted the vulnerability in the code used by our group as well (and I assume Ed's issue came up from the same scanner) with the following suggested fix:

Upgrade to version: cmake - 3.19.5,3.17.3,3.22.0;cmake-native - 3.22.0,3.17.3,3.20.1;python3 - 3.8.2. So at least part of the issue may simply be related to a build rather than the code.

Is it possible to rerun the build using the minimum component version indicated, by any chance?

@thomasfleming-cs thomasfleming-cs mentioned this issue Jan 4, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@esnible @Alex-Tsekhansky-IBM