Expat 2.2 (Expat bug #537)

Warning

This resource is maintained for historical reference and does not contain the latest vulnerability info for Python.

The canonical database for vulnerabilities affecting Python is available on GitHub in the Open Source Vulnerability (OSV) format. This database can be viewed online at the Open Source Vulnerability Database.

The Expat XML parser mishandles certain kinds of malformed input documents, resulting in buffer overflows during processing and error reporting. The overflows can manifest as a segmentation fault or as memory corruption during a parse operation. The bugs allow for a denial of service attack in many applications by an unauthenticated attacker, and could conceivably result in remote code execution.

Dates:

• Disclosure date: 2017-02-17 (Python issue bpo-29591 reported)
• Reported by: 2016-05-27 (expat bug #537 reported)

Fixed In

• Python 2.7.14 (2017-09-16) fixed by commit 0e4571a (branch 2.7) (2017-06-15)
• Python 3.3.7 (2017-09-19) fixed by commit ab90986 (branch 3.3) (2017-07-16)
• Python 3.4.7 (2017-08-09) fixed by commit 71572bb (branch 3.4) (2017-07-12)
• Python 3.5.4 (2017-08-07) fixed by commit 8c797ed (branch 3.5) (2017-06-15)
• Python 3.6.2 (2017-07-08) fixed by commit 86b9537 (branch 3.6) (2017-06-14)
• Python 3.7.0 (2018-06-27) fixed by commit 23ec4b5 (branch 3.7) (2017-06-14)

Python issue

expat 2.2.0: Various security vulnerabilities in bundled expat (CVE-2016-0718 and CVE-2016-4472).

• Python issue: bpo-29591
• Creation date: 2017-02-17
• Reporter: Natanael Copa

CVE-2016-0718

Expat allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a malformed input document, which triggers a buffer overflow.

• CVE ID: CVE-2016-0718
• Published: 2016-05-26
• CVSS Score: 7.5

CVE-2016-4472

The overflow protection in Expat is removed by compilers with certain optimization settings, which allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via crafted XML data. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-1283 and CVE-2015-2716.

• CVE ID: CVE-2016-4472
• Published: 2016-06-30
• CVSS Score: 6.8

Timeline

Timeline using the disclosure date 2017-02-17 as reference:

• 2016-05-26 (-267 days): CVE-2016-0718 published
• 2016-06-30 (-232 days): CVE-2016-4472 published
• 2017-02-17: Python issue bpo-29591 reported by Natanael Copa
• 2017-06-14 (+117 days): commit 23ec4b5 (branch 3.7)
• 2017-06-14 (+117 days): commit 86b9537 (branch 3.6)
• 2017-06-15 (+118 days): commit 0e4571a (branch 2.7)
• 2017-06-15 (+118 days): commit 8c797ed (branch 3.5)
• 2017-07-08 (+141 days): Python 3.6.2 released
• 2017-07-12 (+145 days): commit 71572bb (branch 3.4)
• 2017-07-16 (+149 days): commit ab90986 (branch 3.3)
• 2017-08-07 (+171 days): Python 3.5.4 released
• 2017-08-09 (+173 days): Python 3.4.7 released
• 2017-09-16 (+211 days): Python 2.7.14 released
• 2017-09-19 (+214 days): Python 3.3.7 released
• 2018-06-27: Python 3.7.0 released

Links

• https://sourceforge.net/p/expat/bugs/537/
• https://bugs.python.org/issue30610