[issue30610] libexpat vulnerable to CVE-2016-0718
New submission from Duy Phan Thanh: Python's libexpat library is outdated and vulnerable to CVE-2016-0718 https://sourceforge.net/p/expat/bugs/537/ which can cause remote code execution through malicious xml files. The attached POC crashed both python 2.7 and python 3.5 on my windows machine. -- components: XML files: overflow.zip messages: 295502 nosy: Duy Phan Thanh priority: normal severity: normal status: open title: libexpat vulnerable to CVE-2016-0718 type: security Added file: http://bugs.python.org/file46938/overflow.zip ___ Python tracker <http://bugs.python.org/issue30610> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue30610] Python's libexpat vulnerable to CVE-2016-0718
Changes by Duy Phan Thanh : -- title: libexpat vulnerable to CVE-2016-0718 -> Python's libexpat vulnerable to CVE-2016-0718 ___ Python tracker <http://bugs.python.org/issue30610> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue30610] Python's libexpat vulnerable to CVE-2016-0718
Duy Phan Thanh added the comment: According to their changelog here https://github.com/libexpat/libexpat/blob/master/expat/Changes The vulnerability was fixed in expat 2.2.0 and yes it does not affect system that use --with-system-expat. -- ___ Python tracker <http://bugs.python.org/issue30610> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
