classification
Title: [security] CVE-2013-0340 "Billion Laughs" fixed in Expat >=2.4.0: Update vendored copy to expat 2.4.1
Type: security Stage: resolved
Components: Extension Modules Versions: Python 3.11, Python 3.10, Python 3.9, Python 3.8, Python 3.7, Python 3.6
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: Nosy List: gvanrossum, lukasz.langa, miss-islington, ned.deily, pablogsal, sping, vstinner
Priority: normal Keywords: patch

Created on 2021-06-11 14:14 by vstinner, last changed 2021-08-31 07:05 by ned.deily. This issue is now closed.

Files
File name Uploaded Description Edit
cpython_rebuild_expat_dir.sh vstinner, 2021-06-29 00:57
Pull Requests
URL Status Linked Edit
PR 26945 merged vstinner, 2021-06-29 00:56
PR 28031 merged miss-islington, 2021-08-29 14:08
PR 28032 merged miss-islington, 2021-08-29 14:08
PR 28033 merged miss-islington, 2021-08-29 14:08
PR 28042 merged lukasz.langa, 2021-08-29 15:17
PR 28080 merged ned.deily, 2021-08-31 06:34
Messages (13)
msg395634 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2021-06-11 14:14
Our vendored copy of Modules/expat/ should be updated to Expat 2.4.1 to retrieve the fix for the security vulnerabily CVE-2013-0340 "Billion Laughs":
https://blog.hartwork.org/posts/cve-2013-0340-billion-laughs-fixed-in-expat-2-4-0/

The table of vulnerabilities in Python XML parsers should be updated as well:
https://docs.python.org/dev/library/xml.html#xml-vulnerabilities

My outdated notes on Modules/expat/: copy of libexpat

* ./configure --with-system-expat
* Rationale: https://mail.python.org/pipermail/python-dev/2017-June/148287.html
* Used on Windows and macOS, Linux distributions use system libexpat
* Version: search for XML_MAJOR_VERSION in Modules/expat/expat.h
* Script to update it: see attached script to https://bugs.python.org/issue30947
* Recent update: https://bugs.python.org/issue30947
* Python 2.7, 3.3-3.6 use libexpat 2.2.1

https://pythondev.readthedocs.io/files.html
msg395642 - (view) Author: Guido van Rossum (gvanrossum) * (Python committer) Date: 2021-06-11 15:46
(From PSRT list, Sebastian:)

 Please note that the vulnerability fix also added two new functions to
the API that would be great to have xml.parsers.expat expose to the
users for full control.  These are:

- XML_SetBillionLaughsAttackProtectionMaximumAmplification and
- XML_SetBillionLaughsAttackProtectionActivationThreshold

Module xml.parsers.expat.errors and its docs also needs 6 new error code
entries to be complete:

  /* Added in 2.0. */
  38 XML_ERROR_RESERVED_PREFIX_XML
  39 XML_ERROR_RESERVED_PREFIX_XMLNS
  40 XML_ERROR_RESERVED_NAMESPACE_URI

  /* Added in 2.2.1. */
  41 XML_ERROR_INVALID_ARGUMENT

  /* Added in 2.3.0. */
  42 XML_ERROR_NO_BUFFER

  /* Added in 2.4.0. */
  43 XML_ERROR_AMPLIFICATION_LIMIT_BREACH

With regard to the table of vulnerabilities mentioned in the ticket,
please note that vulnerability "quadratic blowup" is also fixed by
>=2.4.0.  Personally, I consider it a flavor of Billion Laughs and all
know variations are covered, including that one.
msg395649 - (view) Author: (sping) Date: 2021-06-11 17:03
FTR that^^ Sebastian is me :)
msg396688 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2021-06-29 00:57
Attached cpython_rebuild_expat_dir.sh script updates Modules/expat/ to our libexpat copy to 2.4.1. I used it to create attached PR 26945.
msg400534 - (view) Author: Łukasz Langa (lukasz.langa) * (Python committer) Date: 2021-08-29 14:08
New changeset 3fc5d84046ddbd66abac5b598956ea34605a4e5d by Victor Stinner in branch 'main':
bpo-44394: Update libexpat copy to 2.4.1 (GH-26945)
https://github.com/python/cpython/commit/3fc5d84046ddbd66abac5b598956ea34605a4e5d
msg400537 - (view) Author: Łukasz Langa (lukasz.langa) * (Python committer) Date: 2021-08-29 14:31
New changeset c9c2a0bc9820f93f1020f3498f6893a3544c9b76 by Miss Islington (bot) in branch '3.8':
bpo-44394: Update libexpat copy to 2.4.1 (GH-26945) (GH-28033)
https://github.com/python/cpython/commit/c9c2a0bc9820f93f1020f3498f6893a3544c9b76
msg400538 - (view) Author: miss-islington (miss-islington) Date: 2021-08-29 14:32
New changeset 270678564c16452614a8acd93763bdf64fb4d286 by Miss Islington (bot) in branch '3.10':
bpo-44394: Update libexpat copy to 2.4.1 (GH-26945)
https://github.com/python/cpython/commit/270678564c16452614a8acd93763bdf64fb4d286
msg400539 - (view) Author: Łukasz Langa (lukasz.langa) * (Python committer) Date: 2021-08-29 14:36
New changeset 007221a43e566db08c0c5c00756d80dfd9dccafe by Miss Islington (bot) in branch '3.9':
bpo-44394: Update libexpat copy to 2.4.1 (GH-26945) (GH-28032)
https://github.com/python/cpython/commit/007221a43e566db08c0c5c00756d80dfd9dccafe
msg400547 - (view) Author: Łukasz Langa (lukasz.langa) * (Python committer) Date: 2021-08-29 15:24
3.6 will need a separate backport because it's using expat 2.2.6 at the moment (from b2260e59ff1eaf20de4738099005ddf507b7b27d).

3.7 conflicted since it didn't include local changes to the vendored 2.2.8 that were introduced in 3.8+. I fixed that, the backport is up.
msg400601 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2021-08-30 13:39
I created https://python-security.readthedocs.io/vuln/expat-billion-laughs.html to track this vulnerability.
msg400691 - (view) Author: Ned Deily (ned.deily) * (Python committer) Date: 2021-08-31 05:12
New changeset 79101b890ee021a901a8b6837a3a320d57adb725 by Łukasz Langa in branch '3.7':
[3.7] bpo-44394: Update libexpat copy to 2.4.1 (GH-26945) (GH-28042)
https://github.com/python/cpython/commit/79101b890ee021a901a8b6837a3a320d57adb725
msg400694 - (view) Author: Ned Deily (ned.deily) * (Python committer) Date: 2021-08-31 06:35
New changeset 910886a6448e4bf1edf49eeace4aa240b6403772 by Ned Deily in branch '3.6':
[3.6] bpo-44394: Update libexpat copy to 2.4.1 (GH-26945) (GH-28042) (GH-28080)
https://github.com/python/cpython/commit/910886a6448e4bf1edf49eeace4aa240b6403772
msg400695 - (view) Author: Ned Deily (ned.deily) * (Python committer) Date: 2021-08-31 07:05
PRs merged in 3.7 branch for release in 3.7.12 and in 3.6 branch for release in 3.6.15.
History
Date User Action Args
2021-08-31 07:05:24ned.deilysetstatus: open -> closed
resolution: fixed
messages: + msg400695

stage: patch review -> resolved
2021-08-31 06:35:39ned.deilysetmessages: + msg400694
2021-08-31 06:34:02ned.deilysetpull_requests: + pull_request26523
2021-08-31 05:12:01ned.deilysetmessages: + msg400691
2021-08-30 13:39:34vstinnersetmessages: + msg400601
2021-08-29 15:24:19lukasz.langasetmessages: + msg400547
2021-08-29 15:17:28lukasz.langasetpull_requests: + pull_request26487
2021-08-29 14:36:44lukasz.langasetmessages: + msg400539
2021-08-29 14:32:58miss-islingtonsetmessages: + msg400538
2021-08-29 14:31:35lukasz.langasetmessages: + msg400537
2021-08-29 14:08:47miss-islingtonsetpull_requests: + pull_request26478
2021-08-29 14:08:42miss-islingtonsetpull_requests: + pull_request26477
2021-08-29 14:08:37miss-islingtonsetnosy: + miss-islington
pull_requests: + pull_request26476
2021-08-29 14:08:31lukasz.langasetmessages: + msg400534
2021-06-29 00:57:30vstinnersetfiles: + cpython_rebuild_expat_dir.sh

messages: + msg396688
2021-06-29 00:56:15vstinnersetkeywords: + patch
stage: patch review
pull_requests: + pull_request25512
2021-06-21 15:33:04vstinnersetnosy: + ned.deily, lukasz.langa, pablogsal
2021-06-11 17:15:01spingsettitle: [security] CVE-2013-0340 "Billion Laughs" fixed in Expat >=2.4.0: Updated to vendoed copy to expat 2.4.1 -> [security] CVE-2013-0340 "Billion Laughs" fixed in Expat >=2.4.0: Update vendored copy to expat 2.4.1
2021-06-11 17:03:52spingsetnosy: + sping
messages: + msg395649
2021-06-11 15:46:25gvanrossumsetnosy: + gvanrossum
messages: + msg395642
2021-06-11 14:14:07vstinnercreate