.. _expat-2.1.1:

Issue #26556: Expat 2.1.1
=========================

.. warning::
    This resource is maintained for historical reference and **does not contain the latest vulnerability info for Python**.

    The `canonical database for vulnerabilities affecting Python <https://github.com/psf/advisory-database>`_ is available on GitHub
    in the Open Source Vulnerability (OSV) format. This vulnerability can be viewed online at the
    `Open Source Vulnerability Database <https://osv.dev/list?ecosystem=&q=CVE-2015-1283>`_.

Multiple integer overflows have been discovered in Expat, an XML parsing C
library, which may result in denial of service or the execution of
arbitrary code if a malformed XML file is processed.

Update bundled copy of Expat library to version 2.1.1 to get CVE-2015-1283
fixes.

Dates:

* Disclosure date: **2016-03-14** (Python issue bpo-26556 reported)
* Reported at: 2015-07-24 (Expat issue #528 reported)
* Reported by: David Dillard (Expat issue)

Fixed In
--------

* Python **2.7.12** (2016-06-25) fixed by `commit d244a8f (branch 2.7) <https://github.com/python/cpython/commit/d244a8f7cb0ec6979ec9fc7acd39e95f5339ad0e>`_ (2016-06-11)
* Python **3.3.7** (2017-09-19) fixed by `commit ab90986 (branch 3.3) <https://github.com/python/cpython/commit/ab90986600ba7dea2aa41e5c1773791070725453>`_ (2017-07-16)
* Python **3.4.5** (2016-06-25) fixed by `commit 196d7db (branch 3.4) <https://github.com/python/cpython/commit/196d7db3956f4c0b03e87b570771b3460a61bab5>`_ (2016-06-11)
* Python **3.5.2** (2016-06-25) fixed by `commit 196d7db (branch 3.4) <https://github.com/python/cpython/commit/196d7db3956f4c0b03e87b570771b3460a61bab5>`_ (2016-06-11)
* Python **3.6.0** (2016-12-22) fixed by `commit 196d7db (branch 3.4) <https://github.com/python/cpython/commit/196d7db3956f4c0b03e87b570771b3460a61bab5>`_ (2016-06-11)

Python issue
------------

Update expat to 2.1.1.

* Python issue: `bpo-26556 <https://bugs.python.org/issue26556>`_
* Creation date: 2016-03-14
* Reporter: Christian Heimes

CVE-2015-1283
-------------

Multiple integer overflows in the XML_GetBuffer function in Expat through 2.1.0, as used in Google Chrome before 44.0.2403.89 and other products, allow remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via crafted XML data, a related issue to CVE-2015-2716.

* CVE ID: `CVE-2015-1283 <https://nvd.nist.gov/vuln/detail/CVE-2015-1283/>`_
* Published: 2015-07-23
* `CVSS Score <https://nvd.nist.gov/cvss.cfm>`_: 6.8

Timeline
--------

Timeline using the disclosure date **2016-03-14** as reference:

* 2015-07-23 (**-235 days**): CVE-2015-1283 published
* 2015-07-24 (**-234 days**): Reported (Expat issue #528 reported)
* 2016-03-14: `Python issue bpo-26556 <https://bugs.python.org/issue26556>`_ reported by Christian Heimes
* 2016-06-11 (**+89 days**): `commit 196d7db (branch 3.4) <https://github.com/python/cpython/commit/196d7db3956f4c0b03e87b570771b3460a61bab5>`_
* 2016-06-11 (**+89 days**): `commit d244a8f (branch 2.7) <https://github.com/python/cpython/commit/d244a8f7cb0ec6979ec9fc7acd39e95f5339ad0e>`_
* 2016-06-25 (**+103 days**): Python 2.7.12 released
* 2016-06-25 (**+103 days**): Python 3.4.5 released
* 2016-06-25 (**+103 days**): Python 3.5.2 released
* 2016-12-22: Python 3.6.0 released
* 2017-07-16 (**+489 days**): `commit ab90986 (branch 3.3) <https://github.com/python/cpython/commit/ab90986600ba7dea2aa41e5c1773791070725453>`_
* 2017-09-19 (**+554 days**): Python 3.3.7 released

Links
-----

* https://sourceforge.net/p/expat/bugs/528/
* https://nvd.nist.gov/vuln/detail/CVE-2015-1283/