Issue #26556: Expat 2.1.1

Multiple integer overflows have been discovered in Expat, an XML parsing C library, which may result in denial of service or the execution of arbitrary code if a malformed XML file is processed.

Update bundled copy of Expat library to version 2.1.1 to get CVE-2015-1283 fixes.

  • Disclosure date: 2016-03-14 (Python issue #26556 reported)
  • Reported at: 2015-07-24 (Expat issue #528 reported)
  • Reported by: David Dillard (Expat issue)

Fixed In

Vulnerable Versions

  • Python 3.3

Python issue

Update expat to 2.1.1.

  • Python issue: issue #26556
  • Creation date: 2016-03-14
  • Reporter: Christian Heimes

Timeline

Timeline using the disclosure date 2016-03-14 as reference:

  • 2015-07-24 (-234 days): Reported (Expat issue #528 reported)
  • 2016-03-14: Python issue #26556 reported by Christian Heimes
  • 2016-06-11 (+89 days): commit 196d7db
  • 2016-06-11 (+89 days): commit d244a8f
  • 2016-06-27 (+105 days): Python 3.4.5 released
  • 2016-06-27 (+105 days): Python 3.5.2 released
  • 2016-06-28 (+106 days): Python 2.7.12 released
  • 2016-12-23: Python 3.6.0 released