classification
Title: Update embedded copy of expat to 2.2.1
Type: Stage: resolved
Components: Library (Lib) Versions: Python 3.7, Python 3.6, Python 3.5, Python 3.4, Python 3.3, Python 2.7
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: haypo Nosy List: haypo, jkloth, larry, ned.deily
Priority: Keywords:

Created on 2017-06-18 03:01 by ned.deily, last changed 2017-07-16 14:13 by haypo. This issue is now closed.

Files
File name Uploaded Description Edit
rebuild_expat_dir.sh haypo, 2017-06-20 14:58
Pull Requests
URL Status Linked Edit
PR 2300 merged haypo, 2017-06-20 15:03
PR 2312 merged haypo, 2017-06-21 13:10
PR 2313 merged haypo, 2017-06-21 13:12
PR 2314 merged haypo, 2017-06-21 13:15
PR 2615 merged ned.deily, 2017-07-07 05:14
PR 2203 merged haypo, 2017-07-11 20:34
PR 2204 merged haypo, 2017-07-11 20:41
Messages (15)
msg296254 - (view) Author: Ned Deily (ned.deily) * (Python committer) Date: 2017-06-18 03:01
From the announcement:

Expat 2.2.1 has been released.  The change log has more details [2] than this mail, including commit SHA1s. For a quick overview of the security fixes and CVEs, we have:

   CVE-2017-9233  External entity infinite loop DoS [1]
  (CVE-2016-9063) Integer overflow (re-fix)
             n/a  More integer overflow fixes
  (CVE-2016-0718) Fix regression bugs from 2.2.0's fix to CVE-2016-0718
  (CVE-2016-5300) Use os-specific entropy sources like getrandom
             n/a  No longer leak parser pointer information
             n/a  Prevent use of uninitialised variables
             n/a  Add missing API parameter validation (NULL, len<0)
  (CVE-2012-0876) Counter hash flooding with SipHash

https://github.com/libexpat/libexpat/blob/R_2_2_1/expat/Changes

https://libexpat.github.io/doc/cve-2017-9233/
msg296447 - (view) Author: STINNER Victor (haypo) * (Python committer) Date: 2017-06-20 14:58
rebuild_expat_dir.sh: Script to update Modules/expat/ to libexpat 2.2.1. The script requires to manually revert one change in Modules/expat/expat_external.h to restore the #include "pyexpatns.h" line.
msg296494 - (view) Author: STINNER Victor (haypo) * (Python committer) Date: 2017-06-20 22:03
Oh, it seems like the compilation of expat 2.2.0 fails on Windows with VS 9.0:
http://bugs.python.org/issue30368#msg296493

But it seems like expat 2.2.1 is going to fix this compilation issue!
msg296538 - (view) Author: Jeremy Kloth (jkloth) * Date: 2017-06-21 10:34
Re buildbot failure: see PR on issue29591

It's not a problem with Expat, but with our project files.
msg296549 - (view) Author: STINNER Victor (haypo) * (Python committer) Date: 2017-06-21 12:39
New changeset 5ff7132313eb651107b179d20218dfe5d4e47f13 by Victor Stinner in branch 'master':
bpo-30694: Upgrade Modules/expat/ to libexpat 2.2.1 (#2300)
https://github.com/python/cpython/commit/5ff7132313eb651107b179d20218dfe5d4e47f13
msg296556 - (view) Author: STINNER Victor (haypo) * (Python committer) Date: 2017-06-21 14:05
New changeset 4a66524006852fc982aebafa277f2c043d9ad149 by Victor Stinner in branch '3.6':
bpo-30694: Upgrade Modules/expat/ to libexpat 2.2.1 (#2300) (#2313)
https://github.com/python/cpython/commit/4a66524006852fc982aebafa277f2c043d9ad149
msg296557 - (view) Author: STINNER Victor (haypo) * (Python committer) Date: 2017-06-21 14:05
New changeset 91d171be45942d37a973b0675521b5159a96be31 by Victor Stinner in branch '3.5':
bpo-30694: Upgrade Modules/expat/ to libexpat 2.2.1 (#2300) (#2314)
https://github.com/python/cpython/commit/91d171be45942d37a973b0675521b5159a96be31
msg296559 - (view) Author: STINNER Victor (haypo) * (Python committer) Date: 2017-06-21 15:12
New changeset 2ada64d2a073f85f135461833952dbe8d656810d by Victor Stinner in branch '2.7':
[2.7] bpo-30694: Upgrade Modules/expat/ to libexpat 2.2.1 (#2300) (#2312)
https://github.com/python/cpython/commit/2ada64d2a073f85f135461833952dbe8d656810d
msg296560 - (view) Author: STINNER Victor (haypo) * (Python committer) Date: 2017-06-21 15:14
I will wait for 2.7, 3.5, 3.6 and master buildbots before backporting the change to 3.3 and 3.4.
msg297859 - (view) Author: Ned Deily (ned.deily) * (Python committer) Date: 2017-07-07 05:31
New changeset 05b72ede95521b2d897cb4c7b034139b5437c592 by Ned Deily in branch '3.6':
bpo-30797, bpo-30694: Avoid _GNU_SOURCE redefined warning in xmlparse.c (#2615)
https://github.com/python/cpython/commit/05b72ede95521b2d897cb4c7b034139b5437c592
msg297862 - (view) Author: Ned Deily (ned.deily) * (Python committer) Date: 2017-07-07 05:54
See bpo-30797 for compile warning introduced here.
msg297933 - (view) Author: Ned Deily (ned.deily) * (Python committer) Date: 2017-07-08 04:51
New changeset ea1ab803ddc14ab02ffed50ecc5089897f259623 by Ned Deily (Victor Stinner) in branch '3.6':
bpo-30694: Upgrade Modules/expat/ to libexpat 2.2.1 (#2300) (#2313)
https://github.com/python/cpython/commit/ea1ab803ddc14ab02ffed50ecc5089897f259623

New changeset bdabd7666032ce356d550da21c35e4bee5b3448c by Ned Deily in branch '3.6':
bpo-30797, bpo-30694: Avoid _GNU_SOURCE redefined warning in xmlparse.c (#2615)
https://github.com/python/cpython/commit/bdabd7666032ce356d550da21c35e4bee5b3448c
msg298208 - (view) Author: Larry Hastings (larry) * (Python committer) Date: 2017-07-12 12:41
New changeset 71572bbe82aa0836c036d44d41c8269ba6a321be by larryhastings (Victor Stinner) in branch '3.4':
[3.4] bpo-29591, bpo-30694: Upgrade Modules/expat to libexpat 2.2.1 (#2164) (#2203)
https://github.com/python/cpython/commit/71572bbe82aa0836c036d44d41c8269ba6a321be
msg298427 - (view) Author: Ned Deily (ned.deily) * (Python committer) Date: 2017-07-16 08:48
New changeset ab90986600ba7dea2aa41e5c1773791070725453 by Ned Deily (Victor Stinner) in branch '3.3':
[3.3] bpo-29591, bpo-30694: Upgrade Modules/expat to libexpat 2.2.1 (#2164) (#2204)
https://github.com/python/cpython/commit/ab90986600ba7dea2aa41e5c1773791070725453
msg298437 - (view) Author: STINNER Victor (haypo) * (Python committer) Date: 2017-07-16 14:13
Yeah! It's nice to see this issue now fixed in all branches!
History
Date User Action Args
2017-07-16 14:13:30hayposetmessages: + msg298437
2017-07-16 08:58:34ned.deilysetpriority: deferred blocker ->
status: open -> closed
resolution: fixed
stage: needs patch -> resolved
2017-07-16 08:48:07ned.deilysetmessages: + msg298427
2017-07-12 12:41:36larrysetnosy: + larry
messages: + msg298208
2017-07-11 20:41:19hayposetpull_requests: + pull_request2738
2017-07-11 20:34:42hayposetpull_requests: + pull_request2737
2017-07-08 04:51:40ned.deilysetmessages: + msg297933
2017-07-07 05:54:57ned.deilysetassignee: haypo
messages: + msg297862
2017-07-07 05:31:46ned.deilysetmessages: + msg297859
2017-07-07 05:14:18ned.deilysetpull_requests: + pull_request2681
2017-06-21 15:14:09hayposetmessages: + msg296560
2017-06-21 15:12:50hayposetmessages: + msg296559
2017-06-21 14:05:17hayposetmessages: + msg296557
2017-06-21 14:05:14hayposetmessages: + msg296556
2017-06-21 13:15:29hayposetpull_requests: + pull_request2360
2017-06-21 13:12:06hayposetpull_requests: + pull_request2359
2017-06-21 13:10:10hayposetpull_requests: + pull_request2358
2017-06-21 12:39:24hayposetmessages: + msg296549
2017-06-21 10:34:23jklothsetnosy: + jkloth
messages: + msg296538
2017-06-20 22:03:57hayposetmessages: + msg296494
2017-06-20 15:03:12hayposetpull_requests: + pull_request2347
2017-06-20 14:58:29hayposetfiles: + rebuild_expat_dir.sh

messages: + msg296447
2017-06-18 03:01:27ned.deilycreate