Expat 2.2 (Expat bug #537)

The Expat XML parser mishandles certain kinds of malformed input documents, resulting in buffer overflows during processing and error reporting. The overflows can manifest as a segmentation fault or as memory corruption during a parse operation. The bugs allow for a denial of service attack in many applications by an unauthenticated attacker, and could conceivably result in remote code execution.

Dates:

• Disclosure date: 2017-02-17 (Python issue bpo-29591 reported)
• Reported by: 2016-05-27 (expat bug #537 reported)

Fixed In

• Python 2.7.14 (2017-09-16) fixed by commit 0e4571a (branch 2.7) (2017-06-15)
• Python 3.3.7 (2017-09-19) fixed by commit ab90986 (branch 3.3) (2017-07-16)
• Python 3.4.7 (2017-08-09) fixed by commit 71572bb (branch 3.4) (2017-07-12)
• Python 3.5.4 (2017-08-07) fixed by commit 8c797ed (branch 3.5) (2017-06-15)
• Python 3.6.2 (2017-07-08) fixed by commit 86b9537 (branch 3.6) (2017-06-14)
• Python 3.7.0 (2018-06-27) fixed by commit 23ec4b5 (branch 3.7) (2017-06-14)

Python issue

expat 2.2.0: Various security vulnerabilities in bundled expat (CVE-2016-0718 and CVE-2016-4472).

• Python issue: bpo-29591
• Creation date: 2017-02-17
• Reporter: Natanael Copa

CVE-2016-0718

Expat allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a malformed input document, which triggers a buffer overflow.

• CVE ID: CVE-2016-0718
• Published: 2016-05-26
• CVSS Score: 7.5

CVE-2016-4472

The overflow protection in Expat is removed by compilers with certain optimization settings, which allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via crafted XML data. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-1283 and CVE-2015-2716.

• CVE ID: CVE-2016-4472
• Published: 2016-06-30
• CVSS Score: 6.8

Timeline

Timeline using the disclosure date 2017-02-17 as reference:

• 2016-05-26 (-267 days): CVE-2016-0718 published
• 2016-06-30 (-232 days): CVE-2016-4472 published
• 2017-02-17: Python issue bpo-29591 reported by Natanael Copa
• 2017-06-14 (+117 days): commit 23ec4b5 (branch 3.7)
• 2017-06-14 (+117 days): commit 86b9537 (branch 3.6)
• 2017-06-15 (+118 days): commit 0e4571a (branch 2.7)
• 2017-06-15 (+118 days): commit 8c797ed (branch 3.5)
• 2017-07-08 (+141 days): Python 3.6.2 released
• 2017-07-12 (+145 days): commit 71572bb (branch 3.4)
• 2017-07-16 (+149 days): commit ab90986 (branch 3.3)
• 2017-08-07 (+171 days): Python 3.5.4 released
• 2017-08-09 (+173 days): Python 3.4.7 released
• 2017-09-16 (+211 days): Python 2.7.14 released
• 2017-09-19 (+214 days): Python 3.3.7 released
• 2018-06-27: Python 3.7.0 released

Links

• https://sourceforge.net/p/expat/bugs/537/
• https://bugs.python.org/issue30610