Expat 2.2.3

Expat 2.2.2 was released with multiple security fixes:

  • #43: Protect against compilation without any source of high quality entropy enabled, e.g. with CMake build system
  • #60: Windows with _UNICODE: Unintended use of LoadLibraryW with a non-wide string resulted in failure to load advapi32.dll and degradation in quality of used entropy when compiled with _UNICODE for Windows; you can launch existing binaries with EXPAT_ENTROPY_DEBUG=1 in the environment to inspect the quality of entropy used during runtime
  • [MOX-006]: Fix non-NULL parser parameter validation in XML_Parse; resulted in NULL dereference, previously

Expat 2.2.3 contains an additional security fix: #82: CVE-2017-11742 – Windows: Fix DLL hijacking vulnerability using Steve Holme’s LoadLibrary wrapper for/of cURL

  • Disclosure date: 2017-07-17 (Python issue bpo-30947 reported)

Fixed In

Python issue

Update embeded copy of libexpat from 2.2.1 to 2.2.3.

  • Python issue: bpo-30947
  • Creation date: 2017-07-17
  • Reporter: STINNER Victor

Timeline

Timeline using the disclosure date 2017-07-17 as reference:

  • 2017-07-17: Python issue bpo-30947 reported by STINNER Victor
  • 2017-08-18 (+32 days): commit 83e37e1
  • 2017-08-18 (+32 days): commit 93d0cb5
  • 2017-08-18 (+32 days): commit ec4ab09
  • 2017-09-06 (+51 days): commit 297516e
  • 2017-09-17 (+62 days): Python 2.7.14 released
  • 2017-09-19 (+64 days): Python 3.3.7 released
  • 2017-09-24 (+69 days): commit 86a713c
  • 2017-09-25 (+70 days): commit f2492bb
  • 2017-10-03 (+78 days): Python 3.6.3 released
  • 2018-02-04 (+202 days): Python 3.4.8 released
  • 2018-02-04 (+202 days): Python 3.5.5 released
  • 2018-06-28: Python 3.7.0 released