Expat 2.2 (Expat bug #537)¶
The Expat XML parser mishandles certain kinds of malformed input documents, resulting in buffer overflows during processing and error reporting. The overflows can manifest as a segmentation fault or as memory corruption during a parse operation. The bugs allow for a denial of service attack in many applications by an unauthenticated attacker, and could conceivably result in remote code execution.
Dates:
- Disclosure date: 2017-02-17 (Python issue bpo-29591 reported)
- Reported by: 2016-05-27 (expat bug #537 reported)
Fixed In¶
- Python 2.7.14 (2017-09-16) fixed by commit 0e4571a (branch 2.7) (2017-06-15)
- Python 3.3.7 (2017-09-19) fixed by commit ab90986 (branch 3.3) (2017-07-16)
- Python 3.4.7 (2017-08-09) fixed by commit 71572bb (branch 3.4) (2017-07-12)
- Python 3.5.4 (2017-08-07) fixed by commit 8c797ed (branch 3.5) (2017-06-15)
- Python 3.6.2 (2017-07-08) fixed by commit 86b9537 (branch 3.6) (2017-06-14)
- Python 3.7.0 (2018-06-27) fixed by commit 23ec4b5 (branch 3.7) (2017-06-14)
Python issue¶
expat 2.2.0: Various security vulnerabilities in bundled expat (CVE-2016-0718 and CVE-2016-4472).
- Python issue: bpo-29591
- Creation date: 2017-02-17
- Reporter: Natanael Copa
CVE-2016-0718¶
Expat allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a malformed input document, which triggers a buffer overflow.
- CVE ID: CVE-2016-0718
- Published: 2016-05-26
- CVSS Score: 7.5
CVE-2016-4472¶
The overflow protection in Expat is removed by compilers with certain optimization settings, which allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via crafted XML data. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-1283 and CVE-2015-2716.
- CVE ID: CVE-2016-4472
- Published: 2016-06-30
- CVSS Score: 6.8
Timeline¶
Timeline using the disclosure date 2017-02-17 as reference:
- 2016-05-26 (-267 days): CVE-2016-0718 published
- 2016-06-30 (-232 days): CVE-2016-4472 published
- 2017-02-17: Python issue bpo-29591 reported by Natanael Copa
- 2017-06-14 (+117 days): commit 23ec4b5 (branch 3.7)
- 2017-06-14 (+117 days): commit 86b9537 (branch 3.6)
- 2017-06-15 (+118 days): commit 0e4571a (branch 2.7)
- 2017-06-15 (+118 days): commit 8c797ed (branch 3.5)
- 2017-07-08 (+141 days): Python 3.6.2 released
- 2017-07-12 (+145 days): commit 71572bb (branch 3.4)
- 2017-07-16 (+149 days): commit ab90986 (branch 3.3)
- 2017-08-07 (+171 days): Python 3.5.4 released
- 2017-08-09 (+173 days): Python 3.4.7 released
- 2017-09-16 (+211 days): Python 2.7.14 released
- 2017-09-19 (+214 days): Python 3.3.7 released
- 2018-06-27: Python 3.7.0 released