Name | CVE-2022-0217 |
Description | It was discovered that an internal Prosody library to load XML based on libexpat does not properly restrict the XML features allowed in parsed XML data. Given suitable attacker input, this results in expansion of recursive entity references from DTDs (CWE-776). In addition, depending on the libexpat version used, it may also allow injections using XML External Entity References (CWE-611). |
Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
References | DSA-5047-1 |
Debian Bugs | 1003696 |
The table below lists information on source packages.
Source Package | Release | Version | Status |
---|---|---|---|
prosody (PTS) | jessie, jessie (lts) | 0.9.7-2+deb8u4 | vulnerable |
stretch (security), stretch (lts), stretch | 0.9.12-2+deb9u4 | vulnerable | |
buster (security), buster, buster (lts) | 0.11.2-1+deb10u4 | fixed | |
bullseye (security), bullseye | 0.11.9-2+deb11u2 | fixed | |
bookworm | 0.12.3-1 | fixed | |
sid, trixie | 0.12.4-2 | fixed |
The information below is based on the following data on fixed versions.
Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
---|---|---|---|---|---|---|
prosody | source | jessie | (unfixed) | end-of-life | ||
prosody | source | buster | 0.11.2-1+deb10u3 | DSA-5047-1 | ||
prosody | source | bullseye | 0.11.9-2+deb11u1 | DSA-5047-1 | ||
prosody | source | (unstable) | 0.11.12-1 | 1003696 |
[stretch] - prosody <ignored> (websocket module introduced in 0.10.0; internal XML API only used on trusted data)
https://prosody.im/security/advisory_20220113/
Patch: https://prosody.im/security/advisory_20220113/1.patch
https://hg.prosody.im/0.11/raw-rev/783056b4e448
https://www.openwall.com/lists/oss-security/2022/01/13/3
Regression: https://issues.prosody.im/1711
Regression fix: https://hg.prosody.im/trunk/rev/e5e0ab93d7f4