Expat 2.2.1¶
Upgrade expat copy from 2.2.0 to 2.2.1 to get fixes of multiple security vulnerabilities including:
- CVE-2017-9233 (External entity infinite loop DoS),
- CVE-2016-9063 (Integer overflow, re-fix),
- CVE-2016-0718 (Fix regression bugs from 2.2.0’s fix to CVE-2016-0718)
- CVE-2012-0876 (Counter hash flooding with SipHash).
Note: the CVE-2016-5300 (Use os-specific entropy sources like getrandom)
doesn’t impact Python, since Python already gets entropy from the OS to set
the expat secret using XML_SetHashSalt()
.
Dates:
- Disclosure date: 2017-06-17 (Expat 2.2.1 release)
Fixed In¶
- Python 2.7.14 (2017-09-16) fixed by commit 2ada64d (branch 2.7) (2017-06-21)
- Python 3.3.7 (2017-09-19) fixed by commit ab90986 (branch 3.3) (2017-07-16)
- Python 3.4.7 (2017-08-09) fixed by commit 71572bb (branch 3.4) (2017-07-12)
- Python 3.5.4 (2017-08-07) fixed by commit 91d171b (branch 3.5) (2017-06-21)
- Python 3.6.2 (2017-07-08) fixed by commit ea1ab80 (branch 3.6) (2017-06-21)
- Python 3.7.0 (2018-06-27) fixed by commit 5ff7132 (branch 3.7) (2017-06-21)
Python issue¶
Update embedded copy of expat to 2.2.1.
- Python issue: bpo-30694
- Creation date: 2017-06-18
- Reporter: Ned Deily
CVE-2012-0876¶
The XML parser (xmlparse.c) in expat before 2.1.0 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via an XML file with many identifiers with the same value.
- CVE ID: CVE-2012-0876
- Published: 2012-07-03
- CVSS Score: 4.3
CVE-2016-0718¶
Expat allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a malformed input document, which triggers a buffer overflow.
- CVE ID: CVE-2016-0718
- Published: 2016-05-26
- CVSS Score: 7.5
CVE-2016-9063¶
An integer overflow during the parsing of XML using the Expat library. This vulnerability affects Firefox < 50.
- CVE ID: CVE-2016-9063
- Published: 2018-06-11
- CVSS Score: 7.5
CVE-2017-9233¶
XML External Entity vulnerability in libexpat 2.2.0 and earlier (Expat XML Parser Library) allows attackers to put the parser in an infinite loop using a malformed external entity definition from an external DTD.
- CVE ID: CVE-2017-9233
- Published: 2017-07-25
- CVSS Score: 5.0
Timeline¶
Timeline using the disclosure date 2017-06-17 as reference:
- 2012-07-03 (-1810 days): CVE-2012-0876 published
- 2016-05-26 (-387 days): CVE-2016-0718 published
- 2017-06-17: Disclosure date (Expat 2.2.1 release)
- 2017-06-18 (+1 days): Python issue bpo-30694 reported by Ned Deily
- 2017-06-21 (+4 days): commit 2ada64d (branch 2.7)
- 2017-06-21 (+4 days): commit 5ff7132 (branch 3.7)
- 2017-06-21 (+4 days): commit 91d171b (branch 3.5)
- 2017-06-21 (+4 days): commit ea1ab80 (branch 3.6)
- 2017-07-08 (+21 days): Python 3.6.2 released
- 2017-07-12 (+25 days): commit 71572bb (branch 3.4)
- 2017-07-16 (+29 days): commit ab90986 (branch 3.3)
- 2017-07-25 (+38 days): CVE-2017-9233 published
- 2017-08-07 (+51 days): Python 3.5.4 released
- 2017-08-09 (+53 days): Python 3.4.7 released
- 2017-09-16 (+91 days): Python 2.7.14 released
- 2017-09-19 (+94 days): Python 3.3.7 released
- 2018-06-11 (+359 days): CVE-2016-9063 published
- 2018-06-27: Python 3.7.0 released
Links¶
- https://libexpat.github.io/doc/cve-2017-9233/
- https://github.com/libexpat/libexpat/blob/R_2_2_1/expat/Changes
- https://nvd.nist.gov/vuln/detail/CVE-2012-0876/
- https://nvd.nist.gov/vuln/detail/CVE-2016-0718/
- https://nvd.nist.gov/vuln/detail/CVE-2016-5300/
- https://nvd.nist.gov/vuln/detail/CVE-2016-9063/
- https://nvd.nist.gov/vuln/detail/CVE-2017-9233/