.. _expat-2.2.3:

Expat 2.2.3
===========

.. warning::
    This resource is maintained for historical reference and **does not contain the latest vulnerability info for Python**.

    The `canonical database for vulnerabilities affecting Python <https://github.com/psf/advisory-database>`_ is available on GitHub
    in the Open Source Vulnerability (OSV) format. This database can be viewed online at the
    `Open Source Vulnerability Database <https://osv.dev/list?ecosystem=&q=PSF>`_.

Expat 2.2.2 was released with multiple security fixes:

* #43: Protect against compilation without any source of high quality
  entropy enabled, e.g. with CMake build system
* #60: Windows with _UNICODE: Unintended use of LoadLibraryW with a non-wide
  string resulted in failure to load advapi32.dll and degradation in quality
  of used entropy when compiled with _UNICODE for Windows; you can launch
  existing binaries with EXPAT_ENTROPY_DEBUG=1 in the environment to inspect
  the quality of entropy used during runtime
* [MOX-006]: Fix non-NULL parser parameter validation in XML_Parse; resulted
  in NULL dereference, previously

Expat 2.2.3 contains an additional security fix: #82: CVE-2017-11742 --
Windows: Fix DLL hijacking vulnerability using Steve Holme's LoadLibrary
wrapper for/of cURL

Dates:

* Disclosure date: **2017-07-17** (Python issue bpo-30947 reported)

Fixed In
--------

* Python **2.7.14** (2017-09-16) fixed by `commit ec4ab09 (branch 2.7) <https://github.com/python/cpython/commit/ec4ab09b7c0b5070bdb27351f979cbecc4636245>`_ (2017-08-18)
* Python **3.3.7** (2017-09-19) fixed by `commit 297516e (branch 3.3) <https://github.com/python/cpython/commit/297516ea509c72d8ebed3a9b3ce200f023aca0b7>`_ (2017-09-06)
* Python **3.4.8** (2018-02-04) fixed by `commit 86a713c (branch 3.4) <https://github.com/python/cpython/commit/86a713cb0c110b6798ca7f9e630fc511ee0a4028>`_ (2017-09-24)
* Python **3.5.5** (2018-02-04) fixed by `commit f2492bb (branch 3.5) <https://github.com/python/cpython/commit/f2492bb6aae061aea47e21fc7e56b7ab9bfdf543>`_ (2017-09-25)
* Python **3.6.3** (2017-10-03) fixed by `commit 83e37e1 (branch 3.6) <https://github.com/python/cpython/commit/83e37e16f3065086d721d4e62a3788e01db3431c>`_ (2017-08-18)
* Python **3.7.0** (2018-06-27) fixed by `commit 93d0cb5 (branch 3.7) <https://github.com/python/cpython/commit/93d0cb58b4da2a88c56f472c6c19491cc7a390df>`_ (2017-08-18)

Python issue
------------

Update embeded copy of libexpat from 2.2.1 to 2.2.3.

* Python issue: `bpo-30947 <https://bugs.python.org/issue30947>`_
* Creation date: 2017-07-17
* Reporter: STINNER Victor

Timeline
--------

Timeline using the disclosure date **2017-07-17** as reference:

* 2017-07-17: `Python issue bpo-30947 <https://bugs.python.org/issue30947>`_ reported by STINNER Victor
* 2017-08-18 (**+32 days**): `commit 83e37e1 (branch 3.6) <https://github.com/python/cpython/commit/83e37e16f3065086d721d4e62a3788e01db3431c>`_
* 2017-08-18 (**+32 days**): `commit 93d0cb5 (branch 3.7) <https://github.com/python/cpython/commit/93d0cb58b4da2a88c56f472c6c19491cc7a390df>`_
* 2017-08-18 (**+32 days**): `commit ec4ab09 (branch 2.7) <https://github.com/python/cpython/commit/ec4ab09b7c0b5070bdb27351f979cbecc4636245>`_
* 2017-09-06 (**+51 days**): `commit 297516e (branch 3.3) <https://github.com/python/cpython/commit/297516ea509c72d8ebed3a9b3ce200f023aca0b7>`_
* 2017-09-16 (**+61 days**): Python 2.7.14 released
* 2017-09-19 (**+64 days**): Python 3.3.7 released
* 2017-09-24 (**+69 days**): `commit 86a713c (branch 3.4) <https://github.com/python/cpython/commit/86a713cb0c110b6798ca7f9e630fc511ee0a4028>`_
* 2017-09-25 (**+70 days**): `commit f2492bb (branch 3.5) <https://github.com/python/cpython/commit/f2492bb6aae061aea47e21fc7e56b7ab9bfdf543>`_
* 2017-10-03 (**+78 days**): Python 3.6.3 released
* 2018-02-04 (**+202 days**): Python 3.4.8 released
* 2018-02-04 (**+202 days**): Python 3.5.5 released
* 2018-06-27: Python 3.7.0 released

Links
-----

* https://nvd.nist.gov/vuln/detail/CVE-2017-11742/