.. _expat-2.2: Expat 2.2 (Expat bug #537) ========================== .. warning:: This resource is maintained for historical reference and **does not contain the latest vulnerability info for Python**. The `canonical database for vulnerabilities affecting Python `_ is available on GitHub in the Open Source Vulnerability (OSV) format. This database can be viewed online at the `Open Source Vulnerability Database `_. The Expat XML parser mishandles certain kinds of malformed input documents, resulting in buffer overflows during processing and error reporting. The overflows can manifest as a segmentation fault or as memory corruption during a parse operation. The bugs allow for a denial of service attack in many applications by an unauthenticated attacker, and could conceivably result in remote code execution. Dates: * Disclosure date: **2017-02-17** (Python issue bpo-29591 reported) * Reported by: 2016-05-27 (expat bug #537 reported) Fixed In -------- * Python **2.7.14** (2017-09-16) fixed by `commit 0e4571a (branch 2.7) `_ (2017-06-15) * Python **3.3.7** (2017-09-19) fixed by `commit ab90986 (branch 3.3) `_ (2017-07-16) * Python **3.4.7** (2017-08-09) fixed by `commit 71572bb (branch 3.4) `_ (2017-07-12) * Python **3.5.4** (2017-08-07) fixed by `commit 8c797ed (branch 3.5) `_ (2017-06-15) * Python **3.6.2** (2017-07-08) fixed by `commit 86b9537 (branch 3.6) `_ (2017-06-14) * Python **3.7.0** (2018-06-27) fixed by `commit 23ec4b5 (branch 3.7) `_ (2017-06-14) Python issue ------------ expat 2.2.0: Various security vulnerabilities in bundled expat (CVE-2016-0718 and CVE-2016-4472). * Python issue: `bpo-29591 `_ * Creation date: 2017-02-17 * Reporter: Natanael Copa CVE-2016-0718 ------------- Expat allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a malformed input document, which triggers a buffer overflow. * CVE ID: `CVE-2016-0718 `_ * Published: 2016-05-26 * `CVSS Score `_: 7.5 CVE-2016-4472 ------------- The overflow protection in Expat is removed by compilers with certain optimization settings, which allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via crafted XML data. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-1283 and CVE-2015-2716. * CVE ID: `CVE-2016-4472 `_ * Published: 2016-06-30 * `CVSS Score `_: 6.8 Timeline -------- Timeline using the disclosure date **2017-02-17** as reference: * 2016-05-26 (**-267 days**): CVE-2016-0718 published * 2016-06-30 (**-232 days**): CVE-2016-4472 published * 2017-02-17: `Python issue bpo-29591 `_ reported by Natanael Copa * 2017-06-14 (**+117 days**): `commit 23ec4b5 (branch 3.7) `_ * 2017-06-14 (**+117 days**): `commit 86b9537 (branch 3.6) `_ * 2017-06-15 (**+118 days**): `commit 0e4571a (branch 2.7) `_ * 2017-06-15 (**+118 days**): `commit 8c797ed (branch 3.5) `_ * 2017-07-08 (**+141 days**): Python 3.6.2 released * 2017-07-12 (**+145 days**): `commit 71572bb (branch 3.4) `_ * 2017-07-16 (**+149 days**): `commit ab90986 (branch 3.3) `_ * 2017-08-07 (**+171 days**): Python 3.5.4 released * 2017-08-09 (**+173 days**): Python 3.4.7 released * 2017-09-16 (**+211 days**): Python 2.7.14 released * 2017-09-19 (**+214 days**): Python 3.3.7 released * 2018-06-27: Python 3.7.0 released Links ----- * https://sourceforge.net/p/expat/bugs/537/ * https://bugs.python.org/issue30610