Expat 2.2.1

Upgrade expat copy from 2.2.0 to 2.2.1 to get fixes of multiple security vulnerabilities including:

• CVE-2017-9233 (External entity infinite loop DoS),
• CVE-2016-9063 (Integer overflow, re-fix),
• CVE-2016-0718 (Fix regression bugs from 2.2.0’s fix to CVE-2016-0718)
• CVE-2012-0876 (Counter hash flooding with SipHash).

Note: the CVE-2016-5300 (Use os-specific entropy sources like getrandom) doesn’t impact Python, since Python already gets entropy from the OS to set the expat secret using XML_SetHashSalt().

Dates:

• Disclosure date: 2017-06-17 (Expat 2.2.1 release)

Fixed In

• Python 2.7.14 (2017-09-16) fixed by commit 2ada64d (branch 2.7) (2017-06-21)
• Python 3.3.7 (2017-09-19) fixed by commit ab90986 (branch 3.3) (2017-07-16)
• Python 3.4.7 (2017-08-09) fixed by commit 71572bb (branch 3.4) (2017-07-12)
• Python 3.5.4 (2017-08-07) fixed by commit 91d171b (branch 3.5) (2017-06-21)
• Python 3.6.2 (2017-07-08) fixed by commit ea1ab80 (branch 3.6) (2017-06-21)
• Python 3.7.0 (2018-06-27) fixed by commit 5ff7132 (branch 3.7) (2017-06-21)

Python issue

Update embedded copy of expat to 2.2.1.

• Python issue: bpo-30694
• Creation date: 2017-06-18
• Reporter: Ned Deily

CVE-2012-0876

The XML parser (xmlparse.c) in expat before 2.1.0 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via an XML file with many identifiers with the same value.

• CVE ID: CVE-2012-0876
• Published: 2012-07-03
• CVSS Score: 4.3

CVE-2016-0718

Expat allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a malformed input document, which triggers a buffer overflow.

• CVE ID: CVE-2016-0718
• Published: 2016-05-26
• CVSS Score: 7.5

CVE-2016-9063

An integer overflow during the parsing of XML using the Expat library. This vulnerability affects Firefox < 50.

• CVE ID: CVE-2016-9063
• Published: 2018-06-11
• CVSS Score: 7.5

CVE-2017-9233

XML External Entity vulnerability in libexpat 2.2.0 and earlier (Expat XML Parser Library) allows attackers to put the parser in an infinite loop using a malformed external entity definition from an external DTD.

• CVE ID: CVE-2017-9233
• Published: 2017-07-25
• CVSS Score: 5.0

Timeline

Timeline using the disclosure date 2017-06-17 as reference:

• 2012-07-03 (-1810 days): CVE-2012-0876 published
• 2016-05-26 (-387 days): CVE-2016-0718 published
• 2017-06-17: Disclosure date (Expat 2.2.1 release)
• 2017-06-18 (+1 days): Python issue bpo-30694 reported by Ned Deily
• 2017-06-21 (+4 days): commit 2ada64d (branch 2.7)
• 2017-06-21 (+4 days): commit 5ff7132 (branch 3.7)
• 2017-06-21 (+4 days): commit 91d171b (branch 3.5)
• 2017-06-21 (+4 days): commit ea1ab80 (branch 3.6)
• 2017-07-08 (+21 days): Python 3.6.2 released
• 2017-07-12 (+25 days): commit 71572bb (branch 3.4)
• 2017-07-16 (+29 days): commit ab90986 (branch 3.3)
• 2017-07-25 (+38 days): CVE-2017-9233 published
• 2017-08-07 (+51 days): Python 3.5.4 released
• 2017-08-09 (+53 days): Python 3.4.7 released
• 2017-09-16 (+91 days): Python 2.7.14 released
• 2017-09-19 (+94 days): Python 3.3.7 released
• 2018-06-11 (+359 days): CVE-2016-9063 published
• 2018-06-27: Python 3.7.0 released

Links

• https://libexpat.github.io/doc/cve-2017-9233/
• https://github.com/libexpat/libexpat/blob/R_2_2_1/expat/Changes
• https://nvd.nist.gov/vuln/detail/CVE-2012-0876/
• https://nvd.nist.gov/vuln/detail/CVE-2016-0718/
• https://nvd.nist.gov/vuln/detail/CVE-2016-5300/
• https://nvd.nist.gov/vuln/detail/CVE-2016-9063/
• https://nvd.nist.gov/vuln/detail/CVE-2017-9233/