The embedded libexpat library is vulnerable to a stack overflow
due to uncontrolled recursion when processing deeply nested XML
entities. This can cause the application to crash, resulting in
a denial of service (DoS) or potentially leading to memory
corruption, depending on the user's environment and how the
library is used. The issue is triggered by supplying a specially
crafted XML document designed to create a long chain of recursive
entities.
libexpat addressed this upstream in
https://github.com/libexpat/libexpat/pull/973
but the embedded copy within xmlrpc-c is so old there is no chance
of applying this without rebasing it. Instead a recursion counter
is added to the parser to limit the depth.
Resolves: RHEL-57536
An issue was discovered in libexpat before 2.6.3. dtdCopy in
xmlparse.c can have an integer overflow for nDefaultAtts on
32-bit platforms (where UINT_MAX equals SIZE_MAX).
Backported from upstream https://github.com/libexpat/libexpat/pull/891
Resolves: RHEL-57519
CVE-2023-52425 is a DoS where extremely large tags can cause
significant processing delays. It isn't reasonably possible to
backport the fix but while testing the impact it was determined
that a large ctags could cause a segmentation fault. That is what
is addressed.
Resolves: RHEL-24226
