BUG: Prevent integer overflow in potential vulnerable cloned functions#5351
BUG: Prevent integer overflow in potential vulnerable cloned functions#5351hjmjohnson merged 1 commit intoInsightSoftwareConsortium:mainfrom
Conversation
github-actions
bot
added
type:Bug
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
Thank you for contributing a pull request! 🙏
Welcome to the ITK community! 🤗👋☀️
We are glad you are here and appreciate your contribution. Please keep in mind our community participation guidelines. 📜
More support and guidance on the contribution process can be found in our contributing guide. 📖
This is an automatic message. Allow for time for the ITK community to be able to read the pull request and comment
on it.
dzenanz
left a comment
dzenanz
left a comment
There was a problem hiding this comment.
Why only this commit? Can you do a general update of ITK's bundled expat? Latest release is usually a good choice.
|
@dzenanz updating all of expat is likely a large undertaking that will need core developer input to get the name mangling and other elements done correctly. There is no UpdateFromUpstream.sh for expat, and setting that infrastructure up is likely beyond what a community contributor can easily accomplish. I recommend that we backport this identified bug fix, and then place the larger effort of updating the entire Expat library as an issue for an upcomming release of ITK. |
|
Sure. Do you want to take over this PR? At the very least, commit message needs an update. Ideally point to commit in upstream that is being cherry-picked, or a list of commits that have been squashed. That should ease future updating of this third party library. |
Sourced from libexpat/libexpat. This issue, originally reported in CVE-2022-22822 to CVE-2022-22822, was resolved in the repository via this commit libexpat/libexpat@9f93e80
Organized files to match upstream expat directory layout in preparation for minimizing differences. Instrument with comments to clearly identify where differences from upstream are desired in the CMakeLists.txt configurations. Followup from 38cca37 and requests for updates in InsightSoftwareConsortium#5351.
|
Thanks for merging my PR, @hjmjohnson! Just wanted to let you know that I plan to report this as a CVE. Please let me know if you have any concern. Thanks! |
3 participants
Hi Development Team,
I identified a potential integer overflow in clone functions in
Modules/ThirdParty/Expat/src/expat/xmlparse.csourced from libexpat/libexpat. This issue, originally reported in CVE-2022-22822 to CVE-2022-22822, was resolved in the repository via this commit libexpat/libexpat@9f93e80.This PR applies the corresponding patch to fix the vulnerability in this codebase.
Please review at your convenience. Thank you!