It seems expat doesn't have an OWNER in the Chromium repo.
https://chromium.googlesource.com/chromium/src/+log/master/third_party/expat

mbarbella@, you applied a patch a year ago (but not an upstream one?); how do we triage handle patches like this?

From what I remember, it's been a bit difficult to get patches taken in upstream here. I don't exactly remember why, but I'll give it a shot here. The short answer is that we'll apply the patch in our copy if we have to and make a note in the README.chromium to explain the local modification if necessary.

It really should have an owner, though. I'd rather not be it but I _might_ add myself if I can't get someone else to. If I recall, WebRTC is the biggest user of expat in Chromium. Patrik, is anyone from your team willing to do this?

I don't think so, no. It's used for the libjingle_xmpphelp target which isn't used. Seems to me we should get rid of it and the expat dependency. I have no idea what is was even used for, I guess the google talk plugin back in the day?

Or wait, it's also used by other targets like webrtc/libjingle/xmpp. I'll ask around.

Ok, xmpp are used in src/jingle and src/remoting. I think you want to check with the OWNERS of those things and see what they think.

Sergeyu@, you seem to have added the libexpat dependencies in libjingle and remoting. Can you get rid of it if it is not used anymore. Libexpat is untested and has ton of security vulnerabilities. Upstream is not accepting patches, so this insecure library we should get rid of. This is security fixit week, your support is appreciated.

From Sergey--

 xmllite was in libjingle previously, but now it's part of webrtc, see third_party/webrtc/libjingle/xmllite . Beside Chromoting it's also used by CloudPrint and Sync (though AFAIK Sync depends on it just for tests). In all cases it's used only for XMPP connection to GTalk, so I doubt these vulnerabilities can be exploitable, as the XMPP server validates XML (server side is in Java and doesn't use expat).
To avoid expat dependency xmllite would have to be rewritten to use libxml or something else for XML parsing. I'm not sure if it's something worth spending time on, unless we have exploitable vulnerabilities. XMPP is being deprecated, so all the services will need to migrate off of it at some point. I think we should be able to remove XMPP dependency in Chromoting around Q1 next year. I don't know if CloudPrint team has any work planned for that.

---

Based on that, i am marking this WontFix.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot