CVE-2017-9233: Expat 2.2.1

Upgrade expat copy from 2.2.0 to 2.2.1 to get fixes of multiple security vulnerabilities including:

  • CVE-2017-9233 (External entity infinite loop DoS),
  • CVE-2016-9063 (Integer overflow, re-fix),
  • CVE-2016-0718 (Fix regression bugs from 2.2.0’s fix to CVE-2016-0718)
  • CVE-2012-0876 (Counter hash flooding with SipHash).

Note: the CVE-2016-5300 (Use os-specific entropy sources like getrandom) doesn’t impact Python, since Python already gets entropy from the OS to set the expat secret using XML_SetHashSalt().

  • Disclosure date: 2017-06-17 (Expat 2.2.1 release)

Fixed In

Python issue

Update embedded copy of expat to 2.2.1.

  • Python issue: issue #30694
  • Creation date: 2017-06-18
  • Reporter: Ned Deily

Timeline

Timeline using the disclosure date 2017-06-17 as reference:

  • 2017-06-17: Disclosure date (Expat 2.2.1 release)
  • 2017-06-18 (+1 days): Python issue #30694 reported by Ned Deily
  • 2017-06-21 (+4 days): commit 2ada64d
  • 2017-06-21 (+4 days): commit 91d171b
  • 2017-06-21 (+4 days): commit ea1ab80
  • 2017-07-12 (+25 days): commit 71572bb
  • 2017-07-16 (+29 days): commit ab90986
  • 2017-07-17 (+30 days): Python 3.6.2 released
  • 2017-08-08 (+52 days): Python 3.5.4 released
  • 2017-08-09 (+53 days): Python 3.4.7 released
  • 2017-09-17 (+92 days): Python 2.7.14 released
  • 2017-09-19 (+94 days): Python 3.3.7 released