In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early; a consecutive call to XMLGetCurrentLineNumber (or XMLGetCurrentColumnNumber) then resulted in a heap-based buffer over-read.
{
"unresolved_ranges": [
{
"vendor_product": "python:python",
"cpes": [
"cpe:2.3:a:python:python:*:*:*:*:*:*:*:*"
],
"source": "CPE_RANGE",
"extracted_events": [
{
"introduced": "2.7.0"
},
{
"fixed": "2.7.17"
},
{
"introduced": "3.5.0"
},
{
"fixed": "3.5.8"
},
{
"introduced": "3.6.0"
},
{
"fixed": "3.6.10"
},
{
"introduced": "3.7.0"
},
{
"fixed": "3.7.5"
}
]
}
]
}{
"cpe": "cpe:2.3:a:libexpat_project:libexpat:*:*:*:*:*:*:*:*",
"source": [
"CPE_RANGE",
"REFERENCES"
],
"extracted_events": [
{
"introduced": "0"
},
{
"fixed": "2.2.8"
}
]
}