classification
Title: Python's libexpat vulnerable to CVE-2016-0718
Type: security Stage: resolved
Components: XML Versions: Python 3.7, Python 3.6, Python 3.3, Python 3.4, Python 3.5, Python 2.7
process
Status: closed Resolution: duplicate
Dependencies: Superseder: expat 2.2.0: Various security vulnerabilities in bundled expat (CVE-2016-0718 and CVE-2016-4472)
View: 29591
Assigned To: Nosy List: Duy Phan Thanh, matrixise, ned.deily, vstinner
Priority: normal Keywords:

Created on 2017-06-09 09:07 by Duy Phan Thanh, last changed 2017-06-13 02:58 by ned.deily. This issue is now closed.

Files
File name Uploaded Description Edit
overflow.zip Duy Phan Thanh, 2017-06-09 09:07
Pull Requests
URL Status Linked Edit
PR 2021 closed matrixise, 2017-06-09 10:10
Messages (9)
msg295502 - (view) Author: Duy Phan Thanh (Duy Phan Thanh) Date: 2017-06-09 09:07
Python's libexpat library is outdated and vulnerable to CVE-2016-0718 https://sourceforge.net/p/expat/bugs/537/
which can cause remote code execution through malicious xml files. The attached POC crashed both python 2.7 and python 3.5 on my windows machine.
msg295504 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2017-06-09 09:29
What is the first expat version which isn't vulnerable?

I guess that this issue only impacts platforms which don't use --with-system-expat. Linux distributions use the system expat library for example.

Currently, the Python master branch embeds a copy of expat 2.1.1:

Modules/expat/expat.h
#define XML_MAJOR_VERSION 2
#define XML_MINOR_VERSION 1
#define XML_MICRO_VERSION 1
msg295506 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2017-06-09 09:33
I add this vulnerability to Python security document:
http://python-security.readthedocs.io/vuln/cve-2016-0718_expat_bug_537.html
msg295509 - (view) Author: Duy Phan Thanh (Duy Phan Thanh) Date: 2017-06-09 09:40
According to their changelog here https://github.com/libexpat/libexpat/blob/master/expat/Changes
The vulnerability was fixed in expat 2.2.0 and yes it does not affect system that use --with-system-expat.
msg295511 - (view) Author: St├ęphane Wirtel (matrixise) * (Python committer) Date: 2017-06-09 10:13
I have checked in 3.4, 3.5 and 3.6, it's the version 2.1.1 excepted for 2.7, 3.3 it's the version 2.1.0
msg295545 - (view) Author: Ned Deily (ned.deily) * (Python committer) Date: 2017-06-09 15:36
Isn't this a duplicate of Issue29591 ?
msg295546 - (view) Author: St├ęphane Wirtel (matrixise) * (Python committer) Date: 2017-06-09 15:39
Yep, it's similar
msg295552 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2017-06-09 16:25
I opened a thread on python-dev to ask if we could drop our embedded copy of libexpat:
https://mail.python.org/pipermail/python-dev/2017-June/148287.html
msg295839 - (view) Author: Ned Deily (ned.deily) * (Python committer) Date: 2017-06-13 02:57
I am closing this issue as a duplicate of the existing Issue29591. We can retitle the PR to be associated with it.  And I am making Issue29591 a release blocker for 3.6.2; regardless of what we decide to for 3.7, we're not going to drop the embedded copies of expat for current releases.
History
Date User Action Args
2017-06-13 02:58:00ned.deilysetstatus: open -> closed
superseder: expat 2.2.0: Various security vulnerabilities in bundled expat (CVE-2016-0718 and CVE-2016-4472)
messages: + msg295839

resolution: duplicate
stage: resolved
2017-06-09 16:25:34vstinnersetmessages: + msg295552
2017-06-09 15:39:15matrixisesetmessages: + msg295546
2017-06-09 15:36:52ned.deilysetnosy: + ned.deily
messages: + msg295545
2017-06-09 10:13:56matrixisesetnosy: + matrixise
messages: + msg295511
2017-06-09 10:12:51matrixisesetversions: + Python 2.7, Python 3.3, Python 3.4, Python 3.5, Python 3.6, Python 3.7
2017-06-09 10:10:54matrixisesetpull_requests: + pull_request2087
2017-06-09 09:40:12Duy Phan Thanhsetmessages: + msg295509
2017-06-09 09:33:51vstinnersetmessages: + msg295506
2017-06-09 09:29:13vstinnersetnosy: + vstinner
messages: + msg295504
2017-06-09 09:18:23Duy Phan Thanhsettitle: libexpat vulnerable to CVE-2016-0718 -> Python's libexpat vulnerable to CVE-2016-0718
2017-06-09 09:07:10Duy Phan Thanhcreate