CVE-2021-45960

In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or more) places in the storeAtts function in xmlparse.c can lead to realloc misbehavior (e.g., allocating too few bytes, or only freeing memory).

Weakness

The product performs a calculation that generates incorrect or unintended results that are later used in security-critical decisions or resource management.

Affected Software

Potential Mitigations

• Use languages, libraries, or frameworks that make it easier to handle numbers without unexpected consequences.
• Examples include safe integer handling packages such as SafeInt (C++) or IntegerLib (C or C++).
• Use languages, libraries, or frameworks that make it easier to handle numbers without unexpected consequences.
• Examples include safe integer handling packages such as SafeInt (C++) or IntegerLib (C or C++).

Related Attack Patterns

• https://cwe.mitre.org/data/definitions/128.html
• https://cwe.mitre.org/data/definitions/129.html

References

• http://www.openwall.com/lists/oss-security/2022/01/17/3
• https://bugzilla.mozilla.org/show_bug.cgi?id=1217609
• https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf
• https://github.com/libexpat/libexpat/issues/531
• https://github.com/libexpat/libexpat/pull/534
• https://security.gentoo.org/glsa/202209-24
• https://security.netapp.com/advisory/ntap-20220121-0004/
• https://www.debian.org/security/2022/dsa-5073
• https://www.tenable.com/security/tns-2022-05