CVE-2013-0340 Billion Laughs fixed in Expat 2.4.0

On Windows and macOS, Python uses a vendored copy of libexpat which is vulnerable to the XML “Billion Laughs” expansion denial of service attack.

Updating libexpat copy in Python to libexpat 2.4.0 or newer fix the vulnerability.

  • Disclosure date: 2021-06-11 (Python issue bpo-44394 reported)

Fixed In

Python issue

[security] CVE-2013-0340 “Billion Laughs” fixed in Expat >=2.4.0: Update vendored copy to expat 2.4.1.

  • Python issue: bpo-44394
  • Creation date: 2021-06-11
  • Reporter: STINNER Victor

CVE-2013-0340

expat 2.1.0 and earlier does not properly handle entities expansion unless an application developer uses the XML_SetEntityDeclHandler function, which allows remote attackers to cause a denial of service (resource consumption), send HTTP requests to intranet servers, or read arbitrary files via a crafted XML document, aka an XML External Entity (XXE) issue. NOTE: it could be argued that because expat already provides the ability to disable external entity expansion, the responsibility for resolving this issue lies with application developers; according to this argument, this entry should be REJECTed, and each affected application would need its own CVE.

Timeline

Timeline using the disclosure date 2021-06-11 as reference: