CVE-2017-9233: Expat 2.2.1

Upgrade expat copy from 2.2.0 to 2.2.1 to get fixes of multiple security vulnerabilities including:

  • CVE-2017-9233 (External entity infinite loop DoS),
  • CVE-2016-9063 (Integer overflow, re-fix),
  • CVE-2016-0718 (Fix regression bugs from 2.2.0’s fix to CVE-2016-0718)
  • CVE-2012-0876 (Counter hash flooding with SipHash).

Note: the CVE-2016-5300 (Use os-specific entropy sources like getrandom) doesn’t impact Python, since Python already gets entropy from the OS to set the expat secret using XML_SetHashSalt().

  • Disclosure date: 2017-06-17 (Expat 2.2.1 release)

Fixed In

Vulnerable Versions

  • Python 2.7
  • Python 3.3
  • Python 3.4
  • Python 3.5

Python issue

Update embedded copy of expat to 2.2.1.

  • Python issue: issue #30694
  • Creation date: 2017-06-18
  • Reporter: Ned Deily

Timeline

Timeline using the disclosure date 2017-06-17 as reference:

  • 2017-06-17: Disclosure date (Expat 2.2.1 release)
  • 2017-06-18 (+1 days): Python issue #30694 reported by Ned Deily
  • 2017-06-21 (+4 days): commit ea1ab80
  • 2017-07-17 (+30 days): Python 3.6.2 released