Security vulnerability in bundled expat CVE-2019-15903 (fix available in expat 2.2.8)

[UcheOgbuji]

BPO	38174
Nosy	@vstinner, @larryhastings, @benjaminp, @ned-deily
PRs	closes bpo-38174: Update vendored expat library to 2.2.8. #16346 [3.7] closes bpo-38174: Update vendored expat library to 2.2.8. (GH-16346) #16407 [2.7] closes bpo-38174: Update vendored expat library to 2.2.8. (GH-16346) #16408 [3.8] closes bpo-38174: Update vendored expat library to 2.2.8. (GH-16346) #16409 [3.6] closes bpo-38174: Update vendored expat library to 2.2.8. (GH-16346) #16410 [2.7] bpo-38174 follow up: Remove loadlibrary.c from VS9.0. #16411 [3.5] closes bpo-38174: Update vendored expat library to 2.2.8. (GH-16346) #16434

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = None
closed_at = <Date 2019-10-09.05:34:30.679>
created_at = <Date 2019-09-14.20:10:07.191>
labels = ['type-security', 'expert-XML', '3.7', '3.8', '3.9']
title = 'Security vulnerability in bundled expat CVE-2019-15903 (fix available in expat 2.2.8)'
updated_at = <Date 2019-10-09.05:34:30.678>
user = 'https://bugs.python.org/UcheOgbuji'

bugs.python.org fields:

activity = <Date 2019-10-09.05:34:30.678>
actor = 'larry'
assignee = 'none'
closed = True
closed_date = <Date 2019-10-09.05:34:30.679>
closer = 'larry'
components = ['XML']
creation = <Date 2019-09-14.20:10:07.191>
creator = 'Uche Ogbuji'
dependencies = []
files = []
hgrepos = []
issue_num = 38174
keywords = ['patch']
message_count = 12.0
messages = ['352449', '353258', '353259', '353260', '353261', '353262', '353265', '353273', '353274', '353342', '353423', '354248']
nosy_count = 5.0
nosy_names = ['vstinner', 'larry', 'benjamin.peterson', 'ned.deily', 'Uche Ogbuji']
pr_nums = ['16346', '16407', '16408', '16409', '16410', '16411', '16434']
priority = 'normal'
resolution = 'fixed'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'security'
url = 'https://bugs.python.org/issue38174'
versions = ['Python 2.7', 'Python 3.5', 'Python 3.6', 'Python 3.7', 'Python 3.8', 'Python 3.9']

[UcheOgbuji]

cpython bundles expat in Modules/expat/ and needs to be updated to expat-2.2.8 to security vulnerability CVE-2019-15903.

From Sebastian Pipping on XML-DEV ML:

Expat 2.2.8 [1] has been released yesterday. This release fixes a
security issue — a heap buffer over-read known as CVE-2019-15903 [2]
reported by Joonun Jang resulting in Denial of Service —, starts using
the rand_s function on Windows and MinGW (ending the previous
LoadLibrary hack), includes non-security bugfixes, many build system
fixes and improvements, improvements to xmlwf usability, and more.

For more details regarding the latest release, please check out the
changelog [3].

If you maintain Expat packaging or a bundled copy of Expat or a pinned
version of Expat somewhere, please update to 2.2.8. Thank you!

[1] https://github.com/libexpat/libexpat/releases/tag/R_2_2_8
[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15903
[3] https://github.com/libexpat/libexpat/blob/R_2_2_8/expat/Changes

[benjaminp]

New changeset 52b9408 by Benjamin Peterson in branch 'master':
closes bpo-38174: Update vendored expat library to 2.2.8. (GH-16346)
52b9408

[benjaminp]

New changeset e73b93a by Benjamin Peterson in branch '2.7':
[2.7] closes bpo-38174: Update vendored expat library to 2.2.8. (GH-16408)
e73b93a

[benjaminp]

New changeset 8e4622e by Benjamin Peterson in branch '3.7':
[3.7] closes bpo-38174: Update vendored expat library to 2.2.8. (GH-16407)
8e4622e

[benjaminp]

New changeset d75bf44 by Benjamin Peterson in branch '3.8':
[3.8] closes bpo-38174: Update vendored expat library to 2.2.8. (GH-16409)
d75bf44

[benjaminp]

New changeset f050163 by Benjamin Peterson in branch '3.6':
[3.6] closes bpo-38174: Update vendored expat library to 2.2.8. (GH-16410)
f050163

[benjaminp]

New changeset 90b4e49 by Benjamin Peterson in branch '2.7':
bpo-38174 follow up: Remove loadlibrary.c from VS9.0. (GH-16411)
90b4e49

[vstinner]

New changeset 90b4e49 by Benjamin Peterson in branch '2.7':
bpo-38174 follow up: Remove loadlibrary.c from VS9.0. (GH-16411)

Oh, I was going to report AMD64 Windows7 SP1 VS9.0 2.7 buildbot failure and propose a fix, but you already fixed it. Thanks!
https://buildbot.python.org/all/#/builders/26/builds/334

[vstinner]

Benjamin: Python 3.5 is in the Versions field, but I don't see any change related to 3.5 yet. It's also impacted, no? Do you plan to backport the fix? I can do it if you want.