Issue #26556: Expat 2.1.1

Multiple integer overflows have been discovered in Expat, an XML parsing C library, which may result in denial of service or the execution of arbitrary code if a malformed XML file is processed.

Update bundled copy of Expat library to version 2.1.1 to get CVE-2015-1283 fixes.

  • Disclosure date: 2016-03-14 (Python issue bpo-26556 reported)
  • Reported at: 2015-07-24 (Expat issue #528 reported)
  • Reported by: David Dillard (Expat issue)

Fixed In

Python issue

Update expat to 2.1.1.

  • Python issue: bpo-26556
  • Creation date: 2016-03-14
  • Reporter: Christian Heimes

Timeline

Timeline using the disclosure date 2016-03-14 as reference: