libexpat vulnerability


good chemistry is complicated, and a little bit messy -LW
	PerlMonks

libexpat vulnerability

by phew47 (Initiate)

on Feb 14, 2022 at 01:58 UTC ( [id://11141375]=perlquestion: print w/replies, xml )

Need Help??

phew47 has asked for the wisdom of the Perl Monks concerning the following question:

According to https://support.f5.com/csp/article/K05295469 older versions of libexpat have a serious security vulnerability. We use Strawberry Perl 5.30 for Windows, and there are seemingly several instances of libexpat in our release tree, including libexpat-1_.dll, libexpat.dll, libexpatw.dll and Expat.dll.

I have found on github a fixed version of libexpat.dll V2.4.4 which fixes the vulnerability, but I don't understand the relationship between it and the Perl wrappings which seem to have additional entry points (as displayed by dllexp.exe from https://www.nirsoft.net/utils/dll_export_viewer.html).

Does any Monk have suggestions on a way forward?

Comment on libexpat vulnerability

Replies are listed 'Best First'.
Re: libexpat vulnerability by Corion (Patriarch) on Feb 14, 2022 at 06:38 UTC
The library that is accessed via Perl is `Expat.dll`. It should live in a directory `XML\Parser\Expat.dll`. You should be able to swap out the `libexpat.dll` for the other version. Unfortunately, XML::Parser::Expat calls the vulnerable `XML_GetCurrentLineNumber` on invalid XML, so upgrading the `libexpat` libraries seems prudent if you actually are parsing arbitrary XML from unknown sources.	[reply] [d/l] [select]
Re: libexpat vulnerability ( pre-covid CVE-2019-15903 ) by Anonymous Monk on Feb 18, 2022 at 06:48 UTC
report bug to rt://Perl-Dist-Strawberry upgrade your own expat from http://expat.sourceforge.net/ ... ?? https://github.com/libexpat/libexpat/releases/download/R_2_4_4/expat-win32bin-2.4.4.zip ( signature? sha256? ...)	[reply]

Back to Seekers of Perl Wisdom

Domain Nodelet^?

www.com | www.net | www.org

Node Status^?

node history
Node Type: perlquestion [id://11141375]
Approved by talexb
Front-paged by marto
help

Chatterbox^?

How do I use this? • Last hour • Other CB clients

Other Users^?

Others wandering the Monastery: (7)

As of 2024-04-18 17:29 GMT

Sections^?

Information^?

Find Nodes^?

Leftovers^?

Today I Learned

Voting Booth^?

No recent polls found