libexpat vulnerability

phew47 has asked for the wisdom of the Perl Monks concerning the following question:

According to https://support.f5.com/csp/article/K05295469 older versions of libexpat have a serious security vulnerability. We use Strawberry Perl 5.30 for Windows, and there are seemingly several instances of libexpat in our release tree, including libexpat-1_.dll, libexpat.dll, libexpatw.dll and Expat.dll.

I have found on github a fixed version of libexpat.dll V2.4.4 which fixes the vulnerability, but I don't understand the relationship between it and the Perl wrappings which seem to have additional entry points (as displayed by dllexp.exe from https://www.nirsoft.net/utils/dll_export_viewer.html).

Does any Monk have suggestions on a way forward?

Comment on libexpat vulnerability

Replies are listed 'Best First'.
Re: libexpat vulnerability by Corion (Patriarch) on Feb 14, 2022 at 06:38 UTC
The library that is accessed via Perl is `Expat.dll`. It should live in a directory `XML\Parser\Expat.dll`. You should be able to swap out the `libexpat.dll` for the other version. Unfortunately, XML::Parser::Expat calls the vulnerable `XML_GetCurrentLineNumber` on invalid XML, so upgrading the `libexpat` libraries seems prudent if you actually are parsing arbitrary XML from unknown sources.	[reply] [d/l] [select]
Re: libexpat vulnerability ( pre-covid CVE-2019-15903 ) by Anonymous Monk on Feb 18, 2022 at 06:48 UTC
report bug to rt://Perl-Dist-Strawberry upgrade your own expat from http://expat.sourceforge.net/ ... ?? https://github.com/libexpat/libexpat/releases/download/R_2_4_4/expat-win32bin-2.4.4.zip ( signature? sha256? ...)	[reply]