.. _expat-2.2.1:

Expat 2.2.1
===========

.. warning::
    This resource is maintained for historical reference and **does not contain the latest vulnerability info for Python**.

    The `canonical database for vulnerabilities affecting Python <https://github.com/psf/advisory-database>`_ is available on GitHub
    in the Open Source Vulnerability (OSV) format. This database can be viewed online at the
    `Open Source Vulnerability Database <https://osv.dev/list?ecosystem=&q=PSF>`_.

Upgrade expat copy from 2.2.0 to 2.2.1 to get fixes of multiple security
vulnerabilities including:

* CVE-2017-9233 (External entity infinite loop DoS),
* CVE-2016-9063 (Integer overflow, re-fix),
* CVE-2016-0718 (Fix regression bugs from 2.2.0’s fix to CVE-2016-0718)
* CVE-2012-0876 (Counter hash flooding with SipHash).

Note: the CVE-2016-5300 (Use os-specific entropy sources like getrandom)
doesn’t impact Python, since Python already gets entropy from the OS to set
the expat secret using ``XML_SetHashSalt()``.

Dates:

* Disclosure date: **2017-06-17** (Expat 2.2.1 release)

Fixed In
--------

* Python **2.7.14** (2017-09-16) fixed by `commit 2ada64d (branch 2.7) <https://github.com/python/cpython/commit/2ada64d2a073f85f135461833952dbe8d656810d>`_ (2017-06-21)
* Python **3.3.7** (2017-09-19) fixed by `commit ab90986 (branch 3.3) <https://github.com/python/cpython/commit/ab90986600ba7dea2aa41e5c1773791070725453>`_ (2017-07-16)
* Python **3.4.7** (2017-08-09) fixed by `commit 71572bb (branch 3.4) <https://github.com/python/cpython/commit/71572bbe82aa0836c036d44d41c8269ba6a321be>`_ (2017-07-12)
* Python **3.5.4** (2017-08-07) fixed by `commit 91d171b (branch 3.5) <https://github.com/python/cpython/commit/91d171be45942d37a973b0675521b5159a96be31>`_ (2017-06-21)
* Python **3.6.2** (2017-07-08) fixed by `commit ea1ab80 (branch 3.6) <https://github.com/python/cpython/commit/ea1ab803ddc14ab02ffed50ecc5089897f259623>`_ (2017-06-21)
* Python **3.7.0** (2018-06-27) fixed by `commit 5ff7132 (branch 3.7) <https://github.com/python/cpython/commit/5ff7132313eb651107b179d20218dfe5d4e47f13>`_ (2017-06-21)

Python issue
------------

Update embedded copy of expat to 2.2.1.

* Python issue: `bpo-30694 <https://bugs.python.org/issue30694>`_
* Creation date: 2017-06-18
* Reporter: Ned Deily

CVE-2012-0876
-------------

The XML parser (xmlparse.c) in expat before 2.1.0 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via an XML file with many identifiers with the same value.

* CVE ID: `CVE-2012-0876 <https://nvd.nist.gov/vuln/detail/CVE-2012-0876/>`_
* Published: 2012-07-03
* `CVSS Score <https://nvd.nist.gov/cvss.cfm>`_: 4.3

CVE-2016-0718
-------------

Expat allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a malformed input document, which triggers a buffer overflow.

* CVE ID: `CVE-2016-0718 <https://nvd.nist.gov/vuln/detail/CVE-2016-0718/>`_
* Published: 2016-05-26
* `CVSS Score <https://nvd.nist.gov/cvss.cfm>`_: 7.5

CVE-2016-9063
-------------

An integer overflow during the parsing of XML using the Expat library. This vulnerability affects Firefox < 50.

* CVE ID: `CVE-2016-9063 <https://nvd.nist.gov/vuln/detail/CVE-2016-9063/>`_
* Published: 2018-06-11
* `CVSS Score <https://nvd.nist.gov/cvss.cfm>`_: 7.5

CVE-2017-9233
-------------

XML External Entity vulnerability in libexpat 2.2.0 and earlier (Expat XML Parser Library) allows attackers to put the parser in an infinite loop using a malformed external entity definition from an external DTD.

* CVE ID: `CVE-2017-9233 <https://nvd.nist.gov/vuln/detail/CVE-2017-9233/>`_
* Published: 2017-07-25
* `CVSS Score <https://nvd.nist.gov/cvss.cfm>`_: 5.0

Timeline
--------

Timeline using the disclosure date **2017-06-17** as reference:

* 2012-07-03 (**-1810 days**): CVE-2012-0876 published
* 2016-05-26 (**-387 days**): CVE-2016-0718 published
* 2017-06-17: Disclosure date (Expat 2.2.1 release)
* 2017-06-18 (**+1 days**): `Python issue bpo-30694 <https://bugs.python.org/issue30694>`_ reported by Ned Deily
* 2017-06-21 (**+4 days**): `commit 2ada64d (branch 2.7) <https://github.com/python/cpython/commit/2ada64d2a073f85f135461833952dbe8d656810d>`_
* 2017-06-21 (**+4 days**): `commit 5ff7132 (branch 3.7) <https://github.com/python/cpython/commit/5ff7132313eb651107b179d20218dfe5d4e47f13>`_
* 2017-06-21 (**+4 days**): `commit 91d171b (branch 3.5) <https://github.com/python/cpython/commit/91d171be45942d37a973b0675521b5159a96be31>`_
* 2017-06-21 (**+4 days**): `commit ea1ab80 (branch 3.6) <https://github.com/python/cpython/commit/ea1ab803ddc14ab02ffed50ecc5089897f259623>`_
* 2017-07-08 (**+21 days**): Python 3.6.2 released
* 2017-07-12 (**+25 days**): `commit 71572bb (branch 3.4) <https://github.com/python/cpython/commit/71572bbe82aa0836c036d44d41c8269ba6a321be>`_
* 2017-07-16 (**+29 days**): `commit ab90986 (branch 3.3) <https://github.com/python/cpython/commit/ab90986600ba7dea2aa41e5c1773791070725453>`_
* 2017-07-25 (**+38 days**): CVE-2017-9233 published
* 2017-08-07 (**+51 days**): Python 3.5.4 released
* 2017-08-09 (**+53 days**): Python 3.4.7 released
* 2017-09-16 (**+91 days**): Python 2.7.14 released
* 2017-09-19 (**+94 days**): Python 3.3.7 released
* 2018-06-11 (**+359 days**): CVE-2016-9063 published
* 2018-06-27: Python 3.7.0 released

Links
-----

* https://libexpat.github.io/doc/cve-2017-9233/
* https://github.com/libexpat/libexpat/blob/R_2_2_1/expat/Changes
* https://nvd.nist.gov/vuln/detail/CVE-2012-0876/
* https://nvd.nist.gov/vuln/detail/CVE-2016-0718/
* https://nvd.nist.gov/vuln/detail/CVE-2016-5300/
* https://nvd.nist.gov/vuln/detail/CVE-2016-9063/
* https://nvd.nist.gov/vuln/detail/CVE-2017-9233/