New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
expat 2.2.0: Various security vulnerabilities in bundled expat (CVE-2016-0718 and CVE-2016-4472) #73777
Comments
cpython bundles expat in Modules/expat/ and needs to be updated to expat-2.2.0 to fix various security vulnerabilities. 21 June 2016, Expat 2.2.0 released. Security fixes CVE-2016-0718 (issue 537) CVE-2016-4472 CVE-2016-5300 (issue 499) CVE-2012-6702 (issue 519) Fix should be applied to all maintained python branches. |
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6702 Extract of Modules/pyexpat.c: #if ((XML_MAJOR_VERSION >= 2) && (XML_MINOR_VERSION >= 1)) || defined(XML_HAS_SET_HASH_SALT)
/* This feature was added upstream in libexpat 2.1.0. Our expat copy
* has a backport of this feature where we also define XML_HAS_SET_HASH_SALT
* to indicate that we can still use it. */
XML_SetHashSalt(self->itself,
(unsigned long)_Py_HashSecret.prefix);
#endif Python 2.7, 3.5, 3.6 and 3.7 have this call at least (I didn't check other versions). |
You may want to look also at https://pypi.python.org/pypi/defusedxml |
CVE-2016-0718 and CVE-2016-4472 might be relevant for Python. CVE-2016-5300 and CVE-2012-6702 are irrelevant. As Victor already pointed out, Python seeds libexpat from a good CPRNG. |
I'm working on a new documentation of Python vulnerabilities to help to handle such issue: |
Note that a duplicate of this issue was opened as bpo-30610 and @matrixise was working on a PR there to update the embedded expat to 2.2.0. Since there are CVE's and a demo crash supplied in bpo-30610, it seems to me we need to fix this for 3.6.2rc1 so I'm making this a "release blocker" and delaying the release. I'm willing to be convinced otherwise. Christian or Victor, can one of you please follow up on this for the 3.6 branch ASAP? Thanks! |
I upgraded Modules/expat/ to expat 2.2 using attached rebuild_expat_dir.sh script: TODO: Should be done later in the master branch, once the security fix is handled.
|
New changeset 23ec4b5 by Victor Stinner in branch 'master': |
Python 3.3 currently embeds a copy of libexpat 2.1.0, wheras other branches have libexpat 2.1.1: |
@ned Deily: I removed the "release blocker" flag, since I just merged my PR to update libexpat to 2.2 in the Python 3.6 branch. |
Thanks, Victor, for seeing this through and thanks, everyone else, for the reviews and assistance. |
FYI, expat 2.2.1 has now been released. See bpo-30694 for details. |
Added pull_request2355 to address issues from upgrading to Expat 2.2.0 on Windows 2.7 |
I would prefer to first fix the new vulnerabilities, by upgrading expat to 2.2.1, and then review your change. => #2312 |
Just a note with the PR, the changes to PCbuild\pyexpat.vcxproj and On Wed, Jun 21, 2017 at 1:14 PM, STINNER Victor <report@bugs.python.org> wrote:
|
Jeremy Kloth added the comment:
PR 2310. Yes, I agree. Can you please propose patches for master, and |
I don't quite understand what's happening on this issue. I see that master, 3.6, 3.6, and 2.7 have been upgraded to expat 2.2.0. This issue was created to upgrade CPython to 2.2.0. But the PR against 3.3 and 3.4 upgrade expat to 2.2.1?! I'm not against this change in principle, I'm just trying to understand why a) it doesn't match the issue, b) why 3.3 and 3.4 are special, c) why we don't upgrade master & 3.6 & 3.5 & 2.7 to expat 2.2.1. |
I upgraded libexpat to 2.2.0 in this issue, and then to libexpat 2.2.1 in bpo-30694. For 3.3 and 3.4 pull requests, I chose to use this bpo number. So these pull requests upgrade directly to 2.2.1. |
Please instead choose to use bpo-30694 for the upgrades of 3.3 and 3.4 to expat 2.2.1. I guess there are historical reasons why the PRs are here, but bpo stands as a historical record; let's not confuse posterity by upgrading to 2.2.1 using a bpo issue talking about--and upgrading four branches to--2.2.0. |
Larry: "Please instead choose to use bpo-30694 for the upgrades of 3.3 and 3.4 to expat 2.2.1. I guess there are historical reasons why the PRs are here, but bpo stands as a historical record; let's not confuse posterity by upgrading to 2.2.1 using a bpo issue talking about--and upgrading four branches to--2.2.0." I just updated the 3.4 PR. In fact, the PR backports the libexpat 2.2.0 commit *and* then the libexpat 2.2.1 commit. Since it's not possible to create a "patch serie" (in GitHub, it would mean a PR which depends on another PR), I chose to stack the two commits in the same PR and reuse the existing PR to not loose context. |
I changed the PR title to mention the two bpo. |
Okay. Closing this bug, because all the branches that are being upgraded to expat 2.2.*0* have already gotten their upgrades. Job done. The discussions for PRs 2203 and 2204 should move to Issue bpo-30694, which is for the upgrade to expat 2.2.*1*. |
Well, technically 3.3 wasn't upgraded yet: |
Correct. But technically 3.3 is being upgraded to 2.2.*1*, which is being tracked on--repeating myself here--Issue bpo-30694. |
Here, I'll remove 3.4 and 3.5 from the versions affected. Now everybody can be pedantic! |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: