{"id":"USN-5320-1","summary":"expat vulnerabilities and regression","details":"USN-5288-1 fixed several vulnerabilities in Expat. For CVE-2022-25236 it\ncaused a regression and an additional patch was required. This update address\nthis regression and several other vulnerabilities.\n\nIt was discovered that Expat incorrectly handled certain files.\nAn attacker could possibly use this issue to cause a denial of service.\n(CVE-2022-25313)\n\nIt was discovered that Expat incorrectly handled certain files.\nAn attacker could possibly use this issue to cause a crash\nor execute arbitrary code. This issue only affected Ubuntu 18.04 LTS,\nUbuntu 20.04 LTS, and Ubuntu 21.10. (CVE-2022-25314)\n\nIt was discovered that Expat incorrectly handled certain files.\nAn attacker could possibly use this issue to cause a crash or execute\narbitrary code. (CVE-2022-25315)\n\nOriginal advisory details:\n\n It was discovered that Expat incorrectly handled certain files.\n An attacker could possibly use this issue to cause a crash or\n execute arbitrary code. (CVE-2022-25236)\n","modified":"2026-02-10T04:42:31Z","published":"2022-03-10T13:19:12Z","related":["UBUNTU-CVE-2022-25313","UBUNTU-CVE-2022-25314","UBUNTU-CVE-2022-25315"],"upstream":["CVE-2022-25313","CVE-2022-25314","CVE-2022-25315","UBUNTU-CVE-2022-25313","UBUNTU-CVE-2022-25314","UBUNTU-CVE-2022-25315"],"references":[{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-5320-1"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2022-25313"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2022-25314"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2022-25315"},{"type":"REPORT","url":"https://launchpad.net/bugs/1963903"}],"affected":[{"package":{"name":"expat","ecosystem":"Ubuntu:Pro:14.04:LTS","purl":"pkg:deb/ubuntu/expat@2.1.0-4ubuntu1.4+esm6?arch=source&distro=trusty/esm"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.1.0-4ubuntu1.4+esm6"}]}],"versions":["2.1.0-4","2.1.0-4ubuntu1","2.1.0-4ubuntu1.1","2.1.0-4ubuntu1.2","2.1.0-4ubuntu1.3","2.1.0-4ubuntu1.4","2.1.0-4ubuntu1.4+esm1","2.1.0-4ubuntu1.4+esm2","2.1.0-4ubuntu1.4+esm4"],"ecosystem_specific":{"availability":"Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro","binaries":[{"binary_version":"2.1.0-4ubuntu1.4+esm6","binary_name":"expat"},{"binary_version":"2.1.0-4ubuntu1.4+esm6","binary_name":"lib64expat1"},{"binary_version":"2.1.0-4ubuntu1.4+esm6","binary_name":"lib64expat1-dev"},{"binary_version":"2.1.0-4ubuntu1.4+esm6","binary_name":"libexpat1"},{"binary_version":"2.1.0-4ubuntu1.4+esm6","binary_name":"libexpat1-dev"}]},"database_specific":{"cves_map":{"ecosystem":"Ubuntu:Pro:14.04:LTS","cves":[{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2022-25313"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2022-25314"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2022-25315"}]},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-5320-1.json"}},{"package":{"name":"expat","ecosystem":"Ubuntu:Pro:16.04:LTS","purl":"pkg:deb/ubuntu/expat@2.1.0-7ubuntu0.16.04.5+esm5?arch=source&distro=esm-infra/xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.1.0-7ubuntu0.16.04.5+esm5"}]}],"versions":["2.1.0-7","2.1.0-7ubuntu0.16.04.1","2.1.0-7ubuntu0.16.04.2","2.1.0-7ubuntu0.16.04.3","2.1.0-7ubuntu0.16.04.4","2.1.0-7ubuntu0.16.04.5","2.1.0-7ubuntu0.16.04.5+esm2"],"ecosystem_specific":{"availability":"Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro","binaries":[{"binary_version":"2.1.0-7ubuntu0.16.04.5+esm5","binary_name":"expat"},{"binary_version":"2.1.0-7ubuntu0.16.04.5+esm5","binary_name":"lib64expat1"},{"binary_version":"2.1.0-7ubuntu0.16.04.5+esm5","binary_name":"lib64expat1-dev"},{"binary_version":"2.1.0-7ubuntu0.16.04.5+esm5","binary_name":"libexpat1"},{"binary_version":"2.1.0-7ubuntu0.16.04.5+esm5","binary_name":"libexpat1-dev"}]},"database_specific":{"cves_map":{"ecosystem":"Ubuntu:Pro:16.04:LTS","cves":[{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2022-25313"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2022-25314"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2022-25315"}]},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-5320-1.json"}},{"package":{"name":"expat","ecosystem":"Ubuntu:18.04:LTS","purl":"pkg:deb/ubuntu/expat@2.2.5-3ubuntu0.7?arch=source&distro=bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.2.5-3ubuntu0.7"}]}],"versions":["2.2.3-1","2.2.3-2","2.2.5-0ubuntu2","2.2.5-3","2.2.5-3ubuntu0.1","2.2.5-3ubuntu0.2","2.2.5-3ubuntu0.4"],"ecosystem_specific":{"availability":"No subscription required","binaries":[{"binary_version":"2.2.5-3ubuntu0.7","binary_name":"expat"},{"binary_version":"2.2.5-3ubuntu0.7","binary_name":"libexpat1"},{"binary_version":"2.2.5-3ubuntu0.7","binary_name":"libexpat1-dev"}]},"database_specific":{"cves_map":{"ecosystem":"Ubuntu:18.04:LTS","cves":[{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2022-25313"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2022-25314"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2022-25315"}]},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-5320-1.json"}},{"package":{"name":"expat","ecosystem":"Ubuntu:20.04:LTS","purl":"pkg:deb/ubuntu/expat@2.2.9-1ubuntu0.4?arch=source&distro=focal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.2.9-1ubuntu0.4"}]}],"versions":["2.2.7-2","2.2.9-1","2.2.9-1build1","2.2.9-1ubuntu0.2"],"ecosystem_specific":{"availability":"No subscription required","binaries":[{"binary_version":"2.2.9-1ubuntu0.4","binary_name":"expat"},{"binary_version":"2.2.9-1ubuntu0.4","binary_name":"libexpat1"},{"binary_version":"2.2.9-1ubuntu0.4","binary_name":"libexpat1-dev"}]},"database_specific":{"cves_map":{"ecosystem":"Ubuntu:20.04:LTS","cves":[{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2022-25313"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2022-25314"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2022-25315"}]},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-5320-1.json"}}],"schema_version":"1.7.3"}