Expat 2.2 (Expat bug #537)

The Expat XML parser mishandles certain kinds of malformed input documents, resulting in buffer overflows during processing and error reporting. The overflows can manifest as a segmentation fault or as memory corruption during a parse operation. The bugs allow for a denial of service attack in many applications by an unauthenticated attacker, and could conceivably result in remote code execution.

Dates:

  • Disclosure date: 2017-02-17 (Python issue bpo-29591 reported)
  • Reported by: 2016-05-27 (expat bug #537 reported)

Fixed In

Python issue

expat 2.2.0: Various security vulnerabilities in bundled expat (CVE-2016-0718 and CVE-2016-4472).

  • Python issue: bpo-29591
  • Creation date: 2017-02-17
  • Reporter: Natanael Copa

CVE-2016-0718

Expat allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a malformed input document, which triggers a buffer overflow.

CVE-2016-4472

The overflow protection in Expat is removed by compilers with certain optimization settings, which allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via crafted XML data. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-1283 and CVE-2015-2716.

Timeline

Timeline using the disclosure date 2017-02-17 as reference: