Expat 2.2.1

Upgrade expat copy from 2.2.0 to 2.2.1 to get fixes of multiple security vulnerabilities including:

  • CVE-2017-9233 (External entity infinite loop DoS),
  • CVE-2016-9063 (Integer overflow, re-fix),
  • CVE-2016-0718 (Fix regression bugs from 2.2.0’s fix to CVE-2016-0718)
  • CVE-2012-0876 (Counter hash flooding with SipHash).

Note: the CVE-2016-5300 (Use os-specific entropy sources like getrandom) doesn’t impact Python, since Python already gets entropy from the OS to set the expat secret using XML_SetHashSalt().


  • Disclosure date: 2017-06-17 (Expat 2.2.1 release)

Fixed In

Python issue

Update embedded copy of expat to 2.2.1.

  • Python issue: bpo-30694
  • Creation date: 2017-06-18
  • Reporter: Ned Deily


The XML parser (xmlparse.c) in expat before 2.1.0 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via an XML file with many identifiers with the same value.


Expat allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a malformed input document, which triggers a buffer overflow.


An integer overflow during the parsing of XML using the Expat library. This vulnerability affects Firefox < 50.


XML External Entity vulnerability in libexpat 2.2.0 and earlier (Expat XML Parser Library) allows attackers to put the parser in an infinite loop using a malformed external entity definition from an external DTD.


Timeline using the disclosure date 2017-06-17 as reference: