Critical vulnerabilities found for the `libexpat` library in the Dangerzone container image

[apyrgio]

Our security scanner has picked up the following CRITICAL libexpat vulnerabilities for the Dangerzone image:

• CVE-2024-45492
• CVE-2024-45491
• CVE-2024-45490

The first two vulnerabilities (CVE-2024-45491, CVE-2024-45492) do not affect our container image, because they apply only to 32-bit architectures. The third one applies to 64-bit architectures as well, so it requires a bit more dig from us.

Our understanding (credits to @lsd-cat) is that to exploit the bug, you need to pass a negative length to the XML_ParseBuffer libexpat API call when parsing an XML buffer. Usually this function is not called on its own, but users call a wrapper instead, which should provide the proper length. For this reason, we believe that this attack is valid, but does not apply to our workloads, and therefore is more theoretical. Case in point:

• LibreOffice does not use the XML_ParseBuffer function directly.
• Debian has not backported patches for the Bookworm/Bullseye libexpat versions (as of 2024-09-09): https://security-tracker.debian.org/tracker/CVE-2024-45490

We believe we can ignore these CVEs from our security scans, but we're well aware that we need to release a new container image soon. We also hope that we will have a permanent solution to this problem with independent container updates (#745) within the next releases.