Issue30610
Created on 2017-06-09 09:07 by Duy Phan Thanh, last changed 2022-04-11 14:58 by admin. This issue is now closed.
| Files | ||||
|---|---|---|---|---|
| File name | Uploaded | Description | Edit | |
| overflow.zip | Duy Phan Thanh, 2017-06-09 09:07 | |||
| Pull Requests | |||
|---|---|---|---|
| URL | Status | Linked | Edit |
| PR 2021 | closed | matrixise, 2017-06-09 10:10 | |
| Messages (9) | |||
|---|---|---|---|
| msg295502 - (view) | Author: Duy Phan Thanh (Duy Phan Thanh) | Date: 2017-06-09 09:07 | |
Python's libexpat library is outdated and vulnerable to CVE-2016-0718 https://sourceforge.net/p/expat/bugs/537/ which can cause remote code execution through malicious xml files. The attached POC crashed both python 2.7 and python 3.5 on my windows machine. |
|||
| msg295504 - (view) | Author: STINNER Victor (vstinner) *  |
Date: 2017-06-09 09:29 | |
What is the first expat version which isn't vulnerable? I guess that this issue only impacts platforms which don't use --with-system-expat. Linux distributions use the system expat library for example. Currently, the Python master branch embeds a copy of expat 2.1.1: Modules/expat/expat.h #define XML_MAJOR_VERSION 2 #define XML_MINOR_VERSION 1 #define XML_MICRO_VERSION 1 |
|||
| msg295506 - (view) | Author: STINNER Victor (vstinner) * |
Date: 2017-06-09 09:33 | |
I add this vulnerability to Python security document: http://python-security.readthedocs.io/vuln/cve-2016-0718_expat_bug_537.html |
|||
| msg295509 - (view) | Author: Duy Phan Thanh (Duy Phan Thanh) | Date: 2017-06-09 09:40 | |
According to their changelog here https://github.com/libexpat/libexpat/blob/master/expat/Changes The vulnerability was fixed in expat 2.2.0 and yes it does not affect system that use --with-system-expat. |
|||
| msg295511 - (view) | Author: Stéphane Wirtel (matrixise) * |
Date: 2017-06-09 10:13 | |
I have checked in 3.4, 3.5 and 3.6, it's the version 2.1.1 excepted for 2.7, 3.3 it's the version 2.1.0 |
|||
| msg295545 - (view) | Author: Ned Deily (ned.deily) * |
Date: 2017-06-09 15:36 | |
Isn't this a duplicate of Issue29591 ? |
|||
| msg295546 - (view) | Author: Stéphane Wirtel (matrixise) * |
Date: 2017-06-09 15:39 | |
Yep, it's similar |
|||
| msg295552 - (view) | Author: STINNER Victor (vstinner) * |
Date: 2017-06-09 16:25 | |
I opened a thread on python-dev to ask if we could drop our embedded copy of libexpat: https://mail.python.org/pipermail/python-dev/2017-June/148287.html |
|||
| msg295839 - (view) | Author: Ned Deily (ned.deily) * |
Date: 2017-06-13 02:57 | |
I am closing this issue as a duplicate of the existing Issue29591. We can retitle the PR to be associated with it. And I am making Issue29591 a release blocker for 3.6.2; regardless of what we decide to for 3.7, we're not going to drop the embedded copies of expat for current releases. |
|||
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2022-04-11 14:58:47 | admin | set | github: 74795 |
| 2017-06-13 02:58:00 | ned.deily | set | status: open -> closed superseder: expat 2.2.0: Various security vulnerabilities in bundled expat (CVE-2016-0718 and CVE-2016-4472) messages: + msg295839 resolution: duplicate |
| 2017-06-09 16:25:34 | vstinner | set | messages: + msg295552 |
| 2017-06-09 15:39:15 | matrixise | set | messages: + msg295546 |
| 2017-06-09 15:36:52 | ned.deily | set | nosy:
+ ned.deily messages: + msg295545 |
| 2017-06-09 10:13:56 | matrixise | set | nosy:
+ matrixise messages: + msg295511 |
| 2017-06-09 10:12:51 | matrixise | set | versions: + Python 2.7, Python 3.3, Python 3.4, Python 3.5, Python 3.6, Python 3.7 |
| 2017-06-09 10:10:54 | matrixise | set | pull_requests: + pull_request2087 |
| 2017-06-09 09:40:12 | Duy Phan Thanh | set | messages: + msg295509 |
| 2017-06-09 09:33:51 | vstinner | set | messages: + msg295506 |
| 2017-06-09 09:29:13 | vstinner | set | nosy:
+ vstinner messages: + msg295504 |
| 2017-06-09 09:18:23 | Duy Phan Thanh | set | title: libexpat vulnerable to CVE-2016-0718 -> Python's libexpat vulnerable to CVE-2016-0718 |
| 2017-06-09 09:07:10 | Duy Phan Thanh | create | |