classification
Title: Security vulnerability in bundled expat CVE-2019-15903 (fix available in expat 2.2.8)
Type: security Stage: resolved
Components: XML Versions: Python 3.9, Python 3.8, Python 3.7, Python 3.6, Python 3.5, Python 2.7
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: Nosy List: Uche Ogbuji, benjamin.peterson, larry, ned.deily, vstinner
Priority: normal Keywords: patch

Created on 2019-09-14 20:10 by Uche Ogbuji, last changed 2019-10-09 05:34 by larry. This issue is now closed.

Pull Requests
URL Status Linked Edit
PR 16346 merged benjamin.peterson, 2019-09-24 04:03
PR 16407 merged benjamin.peterson, 2019-09-26 04:35
PR 16408 merged benjamin.peterson, 2019-09-26 04:37
PR 16409 merged benjamin.peterson, 2019-09-26 04:38
PR 16410 merged benjamin.peterson, 2019-09-26 04:39
PR 16411 merged benjamin.peterson, 2019-09-26 04:54
PR 16434 merged vstinner, 2019-09-27 09:49
Messages (12)
msg352449 - (view) Author: Uche Ogbuji (Uche Ogbuji) Date: 2019-09-14 20:10
cpython bundles expat in Modules/expat/ and needs to be updated to expat-2.2.8 to security vulnerability CVE-2019-15903.

From Sebastian Pipping on XML-DEV ML:

Expat 2.2.8 [1] has been released yesterday.  This release fixes a
security issue — a heap buffer over-read known as CVE-2019-15903 [2]
reported by Joonun Jang resulting in Denial of Service —, starts using
the rand_s function on Windows and MinGW (ending the previous
LoadLibrary hack), includes non-security bugfixes, many build system
fixes and improvements, improvements to xmlwf usability, and more.

For more details regarding the latest release, please check out the
changelog [3].

If you maintain Expat packaging or a bundled copy of Expat or a pinned
version of Expat somewhere, please update to 2.2.8.  Thank you!

[1] https://github.com/libexpat/libexpat/releases/tag/R_2_2_8
[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15903
[3] https://github.com/libexpat/libexpat/blob/R_2_2_8/expat/Changes
msg353258 - (view) Author: Benjamin Peterson (benjamin.peterson) * (Python committer) Date: 2019-09-26 04:34
New changeset 52b940803860e37bcc3f6096b2d24e7c20a0e807 by Benjamin Peterson in branch 'master':
closes bpo-38174: Update vendored expat library to 2.2.8. (GH-16346)
https://github.com/python/cpython/commit/52b940803860e37bcc3f6096b2d24e7c20a0e807
msg353259 - (view) Author: Benjamin Peterson (benjamin.peterson) * (Python committer) Date: 2019-09-26 04:49
New changeset e73b93ab3e0bc2e5a3591f125f465353e025ecaf by Benjamin Peterson in branch '2.7':
[2.7] closes bpo-38174: Update vendored expat library to 2.2.8. (GH-16408)
https://github.com/python/cpython/commit/e73b93ab3e0bc2e5a3591f125f465353e025ecaf
msg353260 - (view) Author: Benjamin Peterson (benjamin.peterson) * (Python committer) Date: 2019-09-26 04:55
New changeset 8e4622ea898bdda687eb2fb0747721c0cd8b0d02 by Benjamin Peterson in branch '3.7':
[3.7] closes bpo-38174: Update vendored expat library to 2.2.8. (GH-16407)
https://github.com/python/cpython/commit/8e4622ea898bdda687eb2fb0747721c0cd8b0d02
msg353261 - (view) Author: Benjamin Peterson (benjamin.peterson) * (Python committer) Date: 2019-09-26 04:57
New changeset d75bf44a2812a249663f979dc8379d27c1633ba5 by Benjamin Peterson in branch '3.8':
[3.8] closes bpo-38174: Update vendored expat library to 2.2.8. (GH-16409)
https://github.com/python/cpython/commit/d75bf44a2812a249663f979dc8379d27c1633ba5
msg353262 - (view) Author: Benjamin Peterson (benjamin.peterson) * (Python committer) Date: 2019-09-26 05:00
New changeset f0501630b0ba31448c230c756b1027647f4ef100 by Benjamin Peterson in branch '3.6':
[3.6] closes bpo-38174: Update vendored expat library to 2.2.8. (GH-16410)
https://github.com/python/cpython/commit/f0501630b0ba31448c230c756b1027647f4ef100
msg353265 - (view) Author: Benjamin Peterson (benjamin.peterson) * (Python committer) Date: 2019-09-26 05:07
New changeset 90b4e49c98dd0ff948e13dd0618240c2294eb23d by Benjamin Peterson in branch '2.7':
bpo-38174 follow up: Remove loadlibrary.c from VS9.0. (GH-16411)
https://github.com/python/cpython/commit/90b4e49c98dd0ff948e13dd0618240c2294eb23d
msg353273 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2019-09-26 07:21
> New changeset 90b4e49c98dd0ff948e13dd0618240c2294eb23d by Benjamin Peterson in branch '2.7':
> bpo-38174 follow up: Remove loadlibrary.c from VS9.0. (GH-16411)

Oh, I was going to report AMD64 Windows7 SP1 VS9.0 2.7 buildbot failure and propose a fix, but you already fixed it. Thanks!
https://buildbot.python.org/all/#/builders/26/builds/334
msg353274 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2019-09-26 07:23
Benjamin: Python 3.5 is in the Versions field, but I don't see any change related to 3.5 yet. It's also impacted, no? Do you plan to backport the fix? I can do it if you want.
msg353342 - (view) Author: Benjamin Peterson (benjamin.peterson) * (Python committer) Date: 2019-09-27 01:16
You're welcome to 3.5.

On Thu, Sep 26, 2019, at 00:23, STINNER Victor wrote:
> 
> STINNER Victor <vstinner@python.org> added the comment:
> 
> Benjamin: Python 3.5 is in the Versions field, but I don't see any 
> change related to 3.5 yet. It's also impacted, no? Do you plan to 
> backport the fix? I can do it if you want.
> 
> ----------
> resolution: fixed -> 
> status: closed -> open
> 
> _______________________________________
> Python tracker <report@bugs.python.org>
> <https://bugs.python.org/issue38174>
> _______________________________________
>
msg353423 - (view) Author: Ned Deily (ned.deily) * (Python committer) Date: 2019-09-27 22:07
Perhaps this should be a release blocker for 3.5.8.  Larry?
msg354248 - (view) Author: Larry Hastings (larry) * (Python committer) Date: 2019-10-09 05:34
New changeset c386c8b06c6e92786f083ef6aba27b37087fdd20 by larryhastings (Victor Stinner) in branch '3.5':
closes bpo-38174: Update vendored expat library to 2.2.8. (GH-16346) (#16434)
https://github.com/python/cpython/commit/c386c8b06c6e92786f083ef6aba27b37087fdd20
History
Date User Action Args
2019-10-09 05:34:30larrysetstatus: open -> closed
resolution: fixed
messages: + msg354248

stage: patch review -> resolved
2019-09-27 22:07:42ned.deilysetnosy: + ned.deily, larry
messages: + msg353423
2019-09-27 09:49:50vstinnersetstage: resolved -> patch review
pull_requests: + pull_request16013
2019-09-27 01:16:43benjamin.petersonsetmessages: + msg353342
2019-09-26 07:23:37vstinnersetstatus: closed -> open
resolution: fixed -> (no value)
messages: + msg353274
2019-09-26 07:21:28vstinnersetmessages: + msg353273
2019-09-26 05:07:12benjamin.petersonsetmessages: + msg353265
2019-09-26 05:00:30benjamin.petersonsetmessages: + msg353262
2019-09-26 04:57:18benjamin.petersonsetmessages: + msg353261
2019-09-26 04:55:02benjamin.petersonsetmessages: + msg353260
2019-09-26 04:54:31benjamin.petersonsetpull_requests: + pull_request15993
2019-09-26 04:49:07benjamin.petersonsetmessages: + msg353259
2019-09-26 04:39:01benjamin.petersonsetpull_requests: + pull_request15992
2019-09-26 04:38:04benjamin.petersonsetpull_requests: + pull_request15991
2019-09-26 04:37:23benjamin.petersonsetpull_requests: + pull_request15990
2019-09-26 04:35:37benjamin.petersonsetpull_requests: + pull_request15989
2019-09-26 04:34:02benjamin.petersonsetstatus: open -> closed

nosy: + benjamin.peterson
messages: + msg353258

resolution: fixed
stage: patch review -> resolved
2019-09-24 04:03:26benjamin.petersonsetkeywords: + patch
stage: patch review
pull_requests: + pull_request15923
2019-09-14 23:21:45xtreaksetnosy: + vstinner
2019-09-14 20:10:07Uche Ogbujicreate