Our vendored copy of Modules/expat/ should be updated to Expat 2.4.1 to retrieve the fix for the security vulnerabily CVE-2013-0340 "Billion Laughs":
https://blog.hartwork.org/posts/cve-2013-0340-billion-laughs-fixed-in-expat-2-4-0/

The table of vulnerabilities in Python XML parsers should be updated as well:
https://docs.python.org/dev/library/xml.html#xml-vulnerabilities

My outdated notes on Modules/expat/: copy of libexpat

• ./configure --with-system-expat
• Rationale: https://mail.python.org/pipermail/python-dev/2017-June/148287.html
• Used on Windows and macOS, Linux distributions use system libexpat
• Version: search for XML_MAJOR_VERSION in Modules/expat/expat.h
• Script to update it: see attached script to https://bugs.python.org/issue30947
• Recent update: https://bugs.python.org/issue30947
• Python 2.7, 3.3-3.6 use libexpat 2.2.1

https://pythondev.readthedocs.io/files.html

(From PSRT list, Sebastian:)

Please note that the vulnerability fix also added two new functions to
the API that would be great to have xml.parsers.expat expose to the
users for full control. These are:

• XML_SetBillionLaughsAttackProtectionMaximumAmplification and
• XML_SetBillionLaughsAttackProtectionActivationThreshold

Module xml.parsers.expat.errors and its docs also needs 6 new error code
entries to be complete:

/* Added in 2.0. */
38 XML_ERROR_RESERVED_PREFIX_XML
39 XML_ERROR_RESERVED_PREFIX_XMLNS
40 XML_ERROR_RESERVED_NAMESPACE_URI

/* Added in 2.2.1. */
41 XML_ERROR_INVALID_ARGUMENT

/* Added in 2.3.0. */
42 XML_ERROR_NO_BUFFER

/* Added in 2.4.0. */
43 XML_ERROR_AMPLIFICATION_LIMIT_BREACH

With regard to the table of vulnerabilities mentioned in the ticket,
please note that vulnerability "quadratic blowup" is also fixed by

=2.4.0. Personally, I consider it a flavor of Billion Laughs and all
know variations are covered, including that one.

FTR that^^ Sebastian is me :)

Attached cpython_rebuild_expat_dir.sh script updates Modules/expat/ to our libexpat copy to 2.4.1. I used it to create attached PR 26945.

New changeset 3fc5d84 by Victor Stinner in branch 'main':
bpo-44394: Update libexpat copy to 2.4.1 (GH-26945)
3fc5d84

New changeset c9c2a0b by Miss Islington (bot) in branch '3.8':
bpo-44394: Update libexpat copy to 2.4.1 (GH-26945) (GH-28033)
c9c2a0b

New changeset 2706785 by Miss Islington (bot) in branch '3.10':
bpo-44394: Update libexpat copy to 2.4.1 (GH-26945)
2706785

New changeset 007221a by Miss Islington (bot) in branch '3.9':
bpo-44394: Update libexpat copy to 2.4.1 (GH-26945) (GH-28032)
007221a

3.6 will need a separate backport because it's using expat 2.2.6 at the moment (from b2260e5).

3.7 conflicted since it didn't include local changes to the vendored 2.2.8 that were introduced in 3.8+. I fixed that, the backport is up.

I created https://python-security.readthedocs.io/vuln/expat-billion-laughs.html to track this vulnerability.

New changeset 79101b8 by Łukasz Langa in branch '3.7':
[3.7] bpo-44394: Update libexpat copy to 2.4.1 (GH-26945) (GH-28042)
79101b8

New changeset 910886a by Ned Deily in branch '3.6':
[3.6] bpo-44394: Update libexpat copy to 2.4.1 (GH-26945) (GH-28042) (GH-28080)
910886a

PRs merged in 3.7 branch for release in 3.7.12 and in 3.6 branch for release in 3.6.15.

The backport to 3.8 broke 3.8.12 in AIX:

0/Modules/_decimal/libmpdec/sixstep.o build/temp.aix-7.1-3.8/tmp/python3.8-3.8.12-0/Modules/_decimal/libmpdec/transpose.o -L. -L/opt/bb/lib -L/opt/bb/lib64 -R/opt/bb/lib64 -lm -o build/lib.aix-7.1-3.8/_decimal.cpython-38.so

*** WARNING: renaming "pyexpat" since importing it failed: rtld: 0712-001 Symbol _isnanf was referenced
from module build/lib.aix-7.1-3.8/pyexpat.cpython-38.so(), but a runtime definition of the symbol was not found.

For the AIX link error that Pablo brought up, there is merged pull request libexpat/libexpat#510 upstream.

New changeset 6c1154b by Pablo Galindo Salgado in branch 'main':
bpo-44394: Ensure libexpat is linked against libm (GH-28617)
6c1154b

New changeset fafa213 by Miss Islington (bot) in branch '3.9':
bpo-44394: Ensure libexpat is linked against libm (GH-28617)
fafa213

New changeset 412ae8a by Miss Islington (bot) in branch '3.10':
[3.10] bpo-44394: Ensure libexpat is linked against libm (GH-28617) (GH-28621)
412ae8a

New changeset 90004fc by Miss Islington (bot) in branch '3.8':
[3.8] bpo-44394: Ensure libexpat is linked against libm (GH-28617) (GH-28620)
90004fc

I'd like to ask for clarification regarding bpo-45321, which adds the missing error constants to the expat module. I consider those new features – it seems inappropriate to add new module constants in the middle of a release series. However, in this ticket here, the libexpat version was updated all the way back to Py3.6, to solve a security issue.

Should we also backport the error constants then?