Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Python's libexpat vulnerable to CVE-2016-0718 #74795

Closed
DuyPhanThanh mannequin opened this issue Jun 9, 2017 · 9 comments
Closed

Python's libexpat vulnerable to CVE-2016-0718 #74795

DuyPhanThanh mannequin opened this issue Jun 9, 2017 · 9 comments
Labels
3.7 (EOL) end of life topic-XML type-security A security issue

Comments

@DuyPhanThanh
Copy link
Mannequin

DuyPhanThanh mannequin commented Jun 9, 2017

BPO 30610
Nosy @vstinner, @ned-deily, @matrixise
PRs
  • bpo-30610: [Security] Python's libexpat vulnerable to CVE-2016-0718 #2021
    		•
    Superseder
  • bpo-29591: expat 2.2.0: Various security vulnerabilities in bundled expat (CVE-2016-0718 and CVE-2016-4472)
    		•
    Files
  • overflow.zip
    		•

    Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

    Show more details

    GitHub fields:

    assignee = None
closed_at = <Date 2017-06-13.02:58:00.028>
created_at = <Date 2017-06-09.09:07:10.314>
labels = ['type-security', 'expert-XML', '3.7']
title = "Python's libexpat vulnerable to CVE-2016-0718"
updated_at = <Date 2017-06-13.02:58:00.027>
user = 'https://bugs.python.org/DuyPhanThanh'

    bugs.python.org fields:

    activity = <Date 2017-06-13.02:58:00.027>
actor = 'ned.deily'
assignee = 'none'
closed = True
closed_date = <Date 2017-06-13.02:58:00.028>
closer = 'ned.deily'
components = ['XML']
creation = <Date 2017-06-09.09:07:10.314>
creator = 'Duy Phan Thanh'
dependencies = []
files = ['46938']
hgrepos = []
issue_num = 30610
keywords = []
message_count = 9.0
messages = ['295502', '295504', '295506', '295509', '295511', '295545', '295546', '295552', '295839']
nosy_count = 4.0
nosy_names = ['vstinner', 'ned.deily', 'matrixise', 'Duy Phan Thanh']
pr_nums = ['2021']
priority = 'normal'
resolution = 'duplicate'
stage = 'resolved'
status = 'closed'
superseder = '29591'
type = 'security'
url = 'https://bugs.python.org/issue30610'
versions = ['Python 2.7', 'Python 3.3', 'Python 3.4', 'Python 3.5', 'Python 3.6', 'Python 3.7']
    @DuyPhanThanh
    Copy link
    Mannequin Author

    DuyPhanThanh mannequin commented Jun 9, 2017

    Python's libexpat library is outdated and vulnerable to CVE-2016-0718 https://sourceforge.net/p/expat/bugs/537/
    which can cause remote code execution through malicious xml files. The attached POC crashed both python 2.7 and python 3.5 on my windows machine.

    @DuyPhanThanh DuyPhanThanh mannequin added topic-XML type-security A security issue labels Jun 9, 2017
    @DuyPhanThanh DuyPhanThanh mannequin changed the title libexpat vulnerable to CVE-2016-0718 Python's libexpat vulnerable to CVE-2016-0718 Jun 9, 2017
    @vstinner
    Copy link
    Member

    vstinner commented Jun 9, 2017

    What is the first expat version which isn't vulnerable?

    I guess that this issue only impacts platforms which don't use --with-system-expat. Linux distributions use the system expat library for example.

    Currently, the Python master branch embeds a copy of expat 2.1.1:

    Modules/expat/expat.h
#define XML_MAJOR_VERSION 2
#define XML_MINOR_VERSION 1
#define XML_MICRO_VERSION 1

    @vstinner
    Copy link
    Member

    vstinner commented Jun 9, 2017

    I add this vulnerability to Python security document:
    http://python-security.readthedocs.io/vuln/cve-2016-0718_expat_bug_537.html

    @DuyPhanThanh
    Copy link
    Mannequin Author

    DuyPhanThanh mannequin commented Jun 9, 2017

    According to their changelog here https://github.com/libexpat/libexpat/blob/master/expat/Changes
    The vulnerability was fixed in expat 2.2.0 and yes it does not affect system that use --with-system-expat.

    @matrixise matrixise added the 3.7 (EOL) end of life label Jun 9, 2017
    @matrixise
    Copy link
    Member

    I have checked in 3.4, 3.5 and 3.6, it's the version 2.1.1 excepted for 2.7, 3.3 it's the version 2.1.0

    @ned-deily
    Copy link
    Member

    Isn't this a duplicate of bpo-29591 ?

    @matrixise
    Copy link
    Member

    Yep, it's similar

    @vstinner
    Copy link
    Member

    vstinner commented Jun 9, 2017

    I opened a thread on python-dev to ask if we could drop our embedded copy of libexpat:
    https://mail.python.org/pipermail/python-dev/2017-June/148287.html

    @ned-deily
    Copy link
    Member

    I am closing this issue as a duplicate of the existing bpo-29591. We can retitle the PR to be associated with it. And I am making bpo-29591 a release blocker for 3.6.2; regardless of what we decide to for 3.7, we're not going to drop the embedded copies of expat for current releases.

    @ezio-melotti ezio-melotti transferred this issue from another repository Apr 10, 2022
    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
    Assignees
    No one assigned
    Labels
    3.7 (EOL) end of life topic-XML type-security A security issue
    Projects
    None yet
    Milestone
    No milestone
    Development

    No branches or pull requests
    3 participants
    @matrixise @vstinner @ned-deily