bpo-30610: [Security] Python's libexpat vulnerable to CVE-2016-0718

[matrixise]

CVE-2016-0718: Expat allows context-dependent attackers to cause a
denial of service (crash) or possibly execute arbitrary code via a
malformed input document, which triggers a buffer overflow.

https://nvd.nist.gov/vuln/detail/CVE-2016-0718

Upgrade to Expat 2.2.0, which is not vulnerable

https://github.com/libexpat/libexpat/blob/R_2_2_0/expat/Changes

Read the description: https://bugs.python.org/issue30610

[vstinner]

Please add an entry in Misc/NEWS, you may add [Security] prefix in your message.

[matrixise]

@Haypo fixed with Misc/NEWS, please could you review ? thanks

[matrixise]

For the update of this library, just clone the repository and use the tag R_2_2_0
this tag contains the fix for CVE-2016-0718.

now, there is no experts (in https://github.com/python/devguide/blob/master/experts.rst#stdlib) for the xml.parsers.expat module, and in this case, I am not sure about this update, but all the tests passed.

git clone https://github.com/libexpat/libexpat
cd libexpat
git checkout R_2_2_0
cp expat/lib/*.{c,h} ~/cpython/Modules/expat/

[matrixise]

I close this PR because the PR #2164 of @Haypo has a better solution to this issue.