classification
Title: Various security vulnerabilities in bundled expat (CVE-2016-0718 and CVE-2016-4472)
Type: security Stage: needs patch
Components: XML Versions: Python 3.7, Python 3.6, Python 3.5, Python 2.7
process
Status: open Resolution:
Dependencies: Superseder:
Assigned To: christian.heimes Nosy List: Chi Hsuan Yen, Natanael Copa, christian.heimes, haypo
Priority: normal Keywords:

Created on 2017-02-17 15:39 by Natanael Copa, last changed 2017-02-21 13:19 by haypo.

Messages (5)
msg288014 - (view) Author: Natanael Copa (Natanael Copa) Date: 2017-02-17 15:39
cpython bundles expat in Modules/expat/ and needs to be updated to expat-2.2.0 to fix various security vulnerabilities.

21 June 2016, Expat 2.2.0 released.
Release 2.2.0 includes security & other bug fixes.

Security fixes

CVE-2016-0718 (issue 537)
Fix crash on malformed input

CVE-2016-4472
Improve insufficient fix to CVE-2015-1283 / CVE-2015-2716 introduced with Expat 2.1.1

CVE-2016-5300 (issue 499)
Use more entropy for hash initialization than the original fix to CVE-2012-0876

CVE-2012-6702 (issue 519)
Resolve troublesome internal call to srand that was introduced with Expat 2.1.0 when addressing CVE-2012-0876 (issue 496)

Fix should be applied to all maintained python branches.
msg288016 - (view) Author: STINNER Victor (haypo) * (Python committer) Date: 2017-02-17 15:41
> CVE-2012-6702 (issue 519)
> Resolve troublesome internal call to srand that was introduced with Expat 2.1.0 when addressing CVE-2012-0876 (issue 496)

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6702

Extract of Modules/pyexpat.c:
---
#if ((XML_MAJOR_VERSION >= 2) && (XML_MINOR_VERSION >= 1)) || defined(XML_HAS_SET_HASH_SALT)
    /* This feature was added upstream in libexpat 2.1.0.  Our expat copy
     * has a backport of this feature where we also define XML_HAS_SET_HASH_SALT
     * to indicate that we can still use it. */
    XML_SetHashSalt(self->itself,
                    (unsigned long)_Py_HashSecret.prefix);
#endif
---

Python 2.7, 3.5, 3.6 and 3.7 have this call at least (I didn't check other versions).
msg288017 - (view) Author: STINNER Victor (haypo) * (Python committer) Date: 2017-02-17 15:42
You may want to look also at https://pypi.python.org/pypi/defusedxml
msg288018 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2017-02-17 15:44
CVE-2016-0718 and CVE-2016-4472 might be relevant for Python. CVE-2016-5300 and CVE-2012-6702 are irrelevant. As Victor already pointed out, Python seeds libexpat from a good CPRNG.
msg288296 - (view) Author: STINNER Victor (haypo) * (Python committer) Date: 2017-02-21 13:19
I'm working on a new documentation of Python vulnerabilities to help to handle such issue:
http://python-security.readthedocs.io/en/latest/vulnerabilities.html
History
Date User Action Args
2017-02-21 13:19:13hayposetmessages: + msg288296
2017-02-20 09:55:38Natanael Copasettitle: Various security vulnerabilities in bundled expat -> Various security vulnerabilities in bundled expat (CVE-2016-0718 and CVE-2016-4472)
2017-02-17 15:46:00christian.heimessetassignee: christian.heimes
stage: needs patch
components: + XML
versions: - Python 3.3, Python 3.4
2017-02-17 15:44:49christian.heimessetmessages: + msg288018
2017-02-17 15:43:56Chi Hsuan Yensetnosy: + Chi Hsuan Yen
2017-02-17 15:42:34hayposetmessages: + msg288017
2017-02-17 15:41:46hayposetnosy: + christian.heimes, haypo
messages: + msg288016
2017-02-17 15:39:39Natanael Copacreate