Security update for expat

Announcement ID:	SUSE-SU-2025:03239-1
Release Date:	2025-09-16T17:04:05Z
Rating:	important
References:	bsc#1239618 jsc#PED-12507
Cross-References:	CVE-2024-8176
CVSS scores:	CVE-2024-8176 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVE-2024-8176 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2024-8176 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products:	Basesystem Module 15-SP7 SUSE Linux Enterprise Desktop 15 SP7 SUSE Linux Enterprise Real Time 15 SP7 SUSE Linux Enterprise Server 15 SP7 SUSE Linux Enterprise Server for SAP Applications 15 SP7

An update that solves one vulnerability and contains one feature can now be installed.

Description:

This update for expat fixes the following issues:

expat was updated to version 2.7.1:

• Bug fixes:

  • Restore event pointer behavior from Expat 2.6.4 (that the fix to CVE-2024-8176 changed in 2.7.0); affected API functions are:

            - XML_GetCurrentByteCount
            - XML_GetCurrentByteIndex
            - XML_GetCurrentColumnNumber
            - XML_GetCurrentLineNumber
            - XML_GetInputContext
    

    • Other changes:

  • Fix printf format specifiers for 32bit Emscripten

  • docs: Promote OpenSSF Best Practices self-certification
  • tests/benchmark: Resolve mistaken double close
  • Address compiler warnings
  • Version info bumped from 11:1:10 (libexpat.so.1.10.1) to 11:2:10 (libexpat.so.1.10.2); see https://verbump.de/ for what these numbers do

Version update to 2.7.0 (CVE-2024-8176, bsc#1239618, jsc#PED-12507)

• Security fixes:

• CVE-2024-8176 -- Fix crash from chaining a large number of entities caused by stack overflow by resolving use of recursion, for all three uses of entities: - general entities in character data ("<e>&g1;</e>") - general entities in attribute values ("<e k1='&g1;'/>") - parameter entities ("%p1;")

Known impact is (reliable and easy) denial of service: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C (Base Score: 7.5, Temporal Score: 7.2) Please note that a layer of compression around XML can significantly reduce the minimum attack payload size.

• Other changes:
• docs: Add missing documentation of error code XML_ERROR_NOT_STARTED that was introduced with 2.6.4
• docs: Document need for C++11 compiler for use from C++
• Address Cppcheck warnings

• Mass-migrate links from http:// to https://

• Document changes since the previous release

• Version info bumped from 11:0:10 (libexpat.so.1.10.0) to 11:1:10 (libexpat.so.1.10.1); see https://verbump.de/ for what these numbers do

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• Basesystem Module 15-SP7
  zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP7-2025-3239=1

Package List:

• Basesystem Module 15-SP7 (aarch64 ppc64le s390x x86_64)
  • expat-2.7.1-150700.3.3.1
  • expat-debuginfo-2.7.1-150700.3.3.1
  • libexpat-devel-2.7.1-150700.3.3.1
  • libexpat1-2.7.1-150700.3.3.1
  • libexpat1-debuginfo-2.7.1-150700.3.3.1
  • expat-debugsource-2.7.1-150700.3.3.1
• Basesystem Module 15-SP7 (x86_64)
  • libexpat1-32bit-2.7.1-150700.3.3.1
  • libexpat1-32bit-debuginfo-2.7.1-150700.3.3.1
  • expat-32bit-debuginfo-2.7.1-150700.3.3.1

References:

• https://www.suse.com/security/cve/CVE-2024-8176.html
• https://bugzilla.suse.com/show_bug.cgi?id=1239618
• https://jira.suse.com/browse/PED-12507