URL |
Status |
Linked |
Edit |
PR 26945 |
merged |
vstinner,
2021-06-29 00:56
|
|
PR 28031 |
merged |
miss-islington,
2021-08-29 14:08
|
|
PR 28032 |
merged |
miss-islington,
2021-08-29 14:08
|
|
PR 28033 |
merged |
miss-islington,
2021-08-29 14:08
|
|
PR 28042 |
merged |
lukasz.langa,
2021-08-29 15:17
|
|
PR 28080 |
merged |
ned.deily,
2021-08-31 06:34
|
|
PR 28617 |
merged |
pablogsal,
2021-09-29 12:22
|
|
PR 28619 |
merged |
miss-islington,
2021-09-29 13:18
|
|
PR 28620 |
merged |
miss-islington,
2021-09-29 13:18
|
|
PR 28621 |
merged |
miss-islington,
2021-09-29 13:19
|
|
PR 28624 |
merged |
lukasz.langa,
2021-09-29 13:53
|
|
PR 28627 |
merged |
miss-islington,
2021-09-29 14:30
|
|
msg395634 - (view) |
Author: STINNER Victor (vstinner) *  |
Date: 2021-06-11 14:14 |
Our vendored copy of Modules/expat/ should be updated to Expat 2.4.1 to retrieve the fix for the security vulnerabily CVE-2013-0340 "Billion Laughs":
https://blog.hartwork.org/posts/cve-2013-0340-billion-laughs-fixed-in-expat-2-4-0/
The table of vulnerabilities in Python XML parsers should be updated as well:
https://docs.python.org/dev/library/xml.html#xml-vulnerabilities
My outdated notes on Modules/expat/: copy of libexpat
* ./configure --with-system-expat
* Rationale: https://mail.python.org/pipermail/python-dev/2017-June/148287.html
* Used on Windows and macOS, Linux distributions use system libexpat
* Version: search for XML_MAJOR_VERSION in Modules/expat/expat.h
* Script to update it: see attached script to https://bugs.python.org/issue30947
* Recent update: https://bugs.python.org/issue30947
* Python 2.7, 3.3-3.6 use libexpat 2.2.1
https://pythondev.readthedocs.io/files.html
|
msg395642 - (view) |
Author: Guido van Rossum (gvanrossum) *  |
Date: 2021-06-11 15:46 |
(From PSRT list, Sebastian:)
Please note that the vulnerability fix also added two new functions to
the API that would be great to have xml.parsers.expat expose to the
users for full control. These are:
- XML_SetBillionLaughsAttackProtectionMaximumAmplification and
- XML_SetBillionLaughsAttackProtectionActivationThreshold
Module xml.parsers.expat.errors and its docs also needs 6 new error code
entries to be complete:
/* Added in 2.0. */
38 XML_ERROR_RESERVED_PREFIX_XML
39 XML_ERROR_RESERVED_PREFIX_XMLNS
40 XML_ERROR_RESERVED_NAMESPACE_URI
/* Added in 2.2.1. */
41 XML_ERROR_INVALID_ARGUMENT
/* Added in 2.3.0. */
42 XML_ERROR_NO_BUFFER
/* Added in 2.4.0. */
43 XML_ERROR_AMPLIFICATION_LIMIT_BREACH
With regard to the table of vulnerabilities mentioned in the ticket,
please note that vulnerability "quadratic blowup" is also fixed by
>=2.4.0. Personally, I consider it a flavor of Billion Laughs and all
know variations are covered, including that one.
|
msg395649 - (view) |
Author: (sping) * |
Date: 2021-06-11 17:03 |
FTR that^^ Sebastian is me :)
|
msg396688 - (view) |
Author: STINNER Victor (vstinner) *  |
Date: 2021-06-29 00:57 |
Attached cpython_rebuild_expat_dir.sh script updates Modules/expat/ to our libexpat copy to 2.4.1. I used it to create attached PR 26945.
|
msg400534 - (view) |
Author: Łukasz Langa (lukasz.langa) *  |
Date: 2021-08-29 14:08 |
New changeset 3fc5d84046ddbd66abac5b598956ea34605a4e5d by Victor Stinner in branch 'main':
bpo-44394: Update libexpat copy to 2.4.1 (GH-26945)
https://github.com/python/cpython/commit/3fc5d84046ddbd66abac5b598956ea34605a4e5d
|
msg400537 - (view) |
Author: Łukasz Langa (lukasz.langa) *  |
Date: 2021-08-29 14:31 |
New changeset c9c2a0bc9820f93f1020f3498f6893a3544c9b76 by Miss Islington (bot) in branch '3.8':
bpo-44394: Update libexpat copy to 2.4.1 (GH-26945) (GH-28033)
https://github.com/python/cpython/commit/c9c2a0bc9820f93f1020f3498f6893a3544c9b76
|
msg400538 - (view) |
Author: miss-islington (miss-islington) |
Date: 2021-08-29 14:32 |
New changeset 270678564c16452614a8acd93763bdf64fb4d286 by Miss Islington (bot) in branch '3.10':
bpo-44394: Update libexpat copy to 2.4.1 (GH-26945)
https://github.com/python/cpython/commit/270678564c16452614a8acd93763bdf64fb4d286
|
msg400539 - (view) |
Author: Łukasz Langa (lukasz.langa) *  |
Date: 2021-08-29 14:36 |
New changeset 007221a43e566db08c0c5c00756d80dfd9dccafe by Miss Islington (bot) in branch '3.9':
bpo-44394: Update libexpat copy to 2.4.1 (GH-26945) (GH-28032)
https://github.com/python/cpython/commit/007221a43e566db08c0c5c00756d80dfd9dccafe
|
msg400547 - (view) |
Author: Łukasz Langa (lukasz.langa) *  |
Date: 2021-08-29 15:24 |
3.6 will need a separate backport because it's using expat 2.2.6 at the moment (from b2260e59ff1eaf20de4738099005ddf507b7b27d).
3.7 conflicted since it didn't include local changes to the vendored 2.2.8 that were introduced in 3.8+. I fixed that, the backport is up.
|
msg400601 - (view) |
Author: STINNER Victor (vstinner) *  |
Date: 2021-08-30 13:39 |
I created https://python-security.readthedocs.io/vuln/expat-billion-laughs.html to track this vulnerability.
|
msg400691 - (view) |
Author: Ned Deily (ned.deily) *  |
Date: 2021-08-31 05:12 |
New changeset 79101b890ee021a901a8b6837a3a320d57adb725 by Łukasz Langa in branch '3.7':
[3.7] bpo-44394: Update libexpat copy to 2.4.1 (GH-26945) (GH-28042)
https://github.com/python/cpython/commit/79101b890ee021a901a8b6837a3a320d57adb725
|
msg400694 - (view) |
Author: Ned Deily (ned.deily) *  |
Date: 2021-08-31 06:35 |
New changeset 910886a6448e4bf1edf49eeace4aa240b6403772 by Ned Deily in branch '3.6':
[3.6] bpo-44394: Update libexpat copy to 2.4.1 (GH-26945) (GH-28042) (GH-28080)
https://github.com/python/cpython/commit/910886a6448e4bf1edf49eeace4aa240b6403772
|
msg400695 - (view) |
Author: Ned Deily (ned.deily) *  |
Date: 2021-08-31 07:05 |
PRs merged in 3.7 branch for release in 3.7.12 and in 3.6 branch for release in 3.6.15.
|
msg402783 - (view) |
Author: Pablo Galindo Salgado (pablogsal) *  |
Date: 2021-09-28 15:43 |
The backport to 3.8 broke 3.8.12 in AIX:
0/Modules/_decimal/libmpdec/sixstep.o build/temp.aix-7.1-3.8/tmp/python3.8-3.8.12-0/Modules/_decimal/libmpdec/transpose.o -L. -L/opt/bb/lib -L/opt/bb/lib64 -R/opt/bb/lib64 -lm -o build/lib.aix-7.1-3.8/_decimal.cpython-38.so
*** WARNING: renaming "pyexpat" since importing it failed: rtld: 0712-001 Symbol _isnanf was referenced
from module build/lib.aix-7.1-3.8/pyexpat.cpython-38.so(), but a runtime definition of the symbol was not found.
|
msg402797 - (view) |
Author: (sping) * |
Date: 2021-09-28 17:56 |
For the AIX link error that Pablo brought up, there is merged pull request https://github.com/libexpat/libexpat/pull/510 upstream.
|
msg402869 - (view) |
Author: Pablo Galindo Salgado (pablogsal) *  |
Date: 2021-09-29 13:18 |
New changeset 6c1154b9de29e1c9cd3d05f5289543e5cff73895 by Pablo Galindo Salgado in branch 'main':
bpo-44394: Ensure libexpat is linked against libm (GH-28617)
https://github.com/python/cpython/commit/6c1154b9de29e1c9cd3d05f5289543e5cff73895
|
msg402872 - (view) |
Author: miss-islington (miss-islington) |
Date: 2021-09-29 13:48 |
New changeset fafa213870193cf79557588ae8f9a4af570fd6e3 by Miss Islington (bot) in branch '3.9':
bpo-44394: Ensure libexpat is linked against libm (GH-28617)
https://github.com/python/cpython/commit/fafa213870193cf79557588ae8f9a4af570fd6e3
|
msg402875 - (view) |
Author: Łukasz Langa (lukasz.langa) *  |
Date: 2021-09-29 14:13 |
New changeset 412ae8ab10734b72384c969181919cc4eb154406 by Miss Islington (bot) in branch '3.10':
[3.10] bpo-44394: Ensure libexpat is linked against libm (GH-28617) (GH-28621)
https://github.com/python/cpython/commit/412ae8ab10734b72384c969181919cc4eb154406
|
msg402880 - (view) |
Author: Łukasz Langa (lukasz.langa) *  |
Date: 2021-09-29 14:36 |
New changeset 90004fca1cc3c6e3c9b2c3faae5cb1b7d7711648 by Miss Islington (bot) in branch '3.8':
[3.8] bpo-44394: Ensure libexpat is linked against libm (GH-28617) (GH-28620)
https://github.com/python/cpython/commit/90004fca1cc3c6e3c9b2c3faae5cb1b7d7711648
|
msg409459 - (view) |
Author: Stefan Behnel (scoder) *  |
Date: 2022-01-01 14:27 |
I'd like to ask for clarification regarding issue 45321, which adds the missing error constants to the `expat` module. I consider those new features – it seems inappropriate to add new module constants in the middle of a release series. However, in this ticket here, the libexpat version was updated all the way back to Py3.6, to solve a security issue.
Should we also backport the error constants then?
|
|
Date |
User |
Action |
Args |
2022-04-11 14:59:46 | admin | set | github: 88560 |
2022-01-01 17:11:10 | gvanrossum | set | nosy:
- gvanrossum
|
2022-01-01 14:27:08 | scoder | set | nosy:
+ scoder messages:
+ msg409459
|
2021-09-29 14:36:03 | lukasz.langa | set | messages:
+ msg402880 |
2021-09-29 14:30:13 | miss-islington | set | pull_requests:
+ pull_request26997 |
2021-09-29 14:13:46 | lukasz.langa | set | messages:
+ msg402875 |
2021-09-29 13:53:49 | lukasz.langa | set | pull_requests:
+ pull_request26996 |
2021-09-29 13:48:03 | miss-islington | set | messages:
+ msg402872 |
2021-09-29 13:19:33 | miss-islington | set | pull_requests:
+ pull_request26994 |
2021-09-29 13:18:50 | miss-islington | set | pull_requests:
+ pull_request26993 |
2021-09-29 13:18:49 | pablogsal | set | messages:
+ msg402869 |
2021-09-29 13:18:45 | miss-islington | set | pull_requests:
+ pull_request26992 |
2021-09-29 12:22:37 | pablogsal | set | pull_requests:
+ pull_request26988 |
2021-09-28 17:56:52 | sping | set | messages:
+ msg402797 |
2021-09-28 15:43:45 | pablogsal | set | messages:
+ msg402783 |
2021-08-31 07:05:24 | ned.deily | set | status: open -> closed resolution: fixed messages:
+ msg400695
stage: patch review -> resolved |
2021-08-31 06:35:39 | ned.deily | set | messages:
+ msg400694 |
2021-08-31 06:34:02 | ned.deily | set | pull_requests:
+ pull_request26523 |
2021-08-31 05:12:01 | ned.deily | set | messages:
+ msg400691 |
2021-08-30 13:39:34 | vstinner | set | messages:
+ msg400601 |
2021-08-29 15:24:19 | lukasz.langa | set | messages:
+ msg400547 |
2021-08-29 15:17:28 | lukasz.langa | set | pull_requests:
+ pull_request26487 |
2021-08-29 14:36:44 | lukasz.langa | set | messages:
+ msg400539 |
2021-08-29 14:32:58 | miss-islington | set | messages:
+ msg400538 |
2021-08-29 14:31:35 | lukasz.langa | set | messages:
+ msg400537 |
2021-08-29 14:08:47 | miss-islington | set | pull_requests:
+ pull_request26478 |
2021-08-29 14:08:42 | miss-islington | set | pull_requests:
+ pull_request26477 |
2021-08-29 14:08:37 | miss-islington | set | nosy:
+ miss-islington pull_requests:
+ pull_request26476
|
2021-08-29 14:08:31 | lukasz.langa | set | messages:
+ msg400534 |
2021-06-29 00:57:30 | vstinner | set | files:
+ cpython_rebuild_expat_dir.sh
messages:
+ msg396688 |
2021-06-29 00:56:15 | vstinner | set | keywords:
+ patch stage: patch review pull_requests:
+ pull_request25512 |
2021-06-21 15:33:04 | vstinner | set | nosy:
+ ned.deily, lukasz.langa, pablogsal
|
2021-06-11 17:15:01 | sping | set | title: [security] CVE-2013-0340 "Billion Laughs" fixed in Expat >=2.4.0: Updated to vendoed copy to expat 2.4.1 -> [security] CVE-2013-0340 "Billion Laughs" fixed in Expat >=2.4.0: Update vendored copy to expat 2.4.1 |
2021-06-11 17:03:52 | sping | set | nosy:
+ sping messages:
+ msg395649
|
2021-06-11 15:46:25 | gvanrossum | set | nosy:
+ gvanrossum messages:
+ msg395642
|
2021-06-11 14:14:07 | vstinner | create | |