The pyexpat module calls XML_SetHashSalt(self->itself, (unsigned long)_Py_HashSecret.expat.hashsalt) to initialize the salt for hash randomization of the XML_Parser struct. The _elementree C accelerator doesn't call XML_SetHashSalt().

It's not a security issue with recent versions of libexpat. The library initializes the salt from a good entry source by default.

Note we compile expat with -DXML_POOR_ENTROPY on the assumption that Python always initializes the entropy itself.

Note we compile expat with -DXML_POOR_ENTROPY on the assumption that Python always initializes the entropy itself.

Oh. I forgot this thing. So it seems like we have to backport this change to 2.7, 3.6 and newer versions.

What about Python 3.4 and 3.5? Python 3.5 has a copy of libexpat 2.2.0, but setup.py doesn't build expat with XML_POOR_ENTROPY=1.

Dang, it's a security bug after all. :(

3.5 has 2.2.4, so it's fine. 2.2.2 had a bug in salt initialization.

New changeset cb5778f by Miss Islington (bot) (Christian Heimes) in branch 'master':
bpo-34623: Use XML_SetHashSalt in _elementtree (GH-9146)
cb5778f

Since it's a security fix, the change should land in 3.4 and 3.5, too.

New changeset 470a435 by Miss Islington (bot) in branch '3.7':
bpo-34623: Use XML_SetHashSalt in _elementtree (GH-9146)
470a435

New changeset 18b20ba by Miss Islington (bot) (Christian Heimes) in branch '2.7':
[2.7] bpo-34623: Use XML_SetHashSalt in _elementtree (GH-9146) (GH-9394)
18b20ba

New changeset f7666e8 by Miss Islington (bot) in branch '3.6':
bpo-34623: Use XML_SetHashSalt in _elementtree (GH-9146)
f7666e8

The bug affects multiple platforms. libexpat's expat.h uses slightly different autoconf macro names than pyconfig.h. Therefore only platforms that have either HAVE_GETRANDOM or _WIN32 defined, use a proper CSPRNG to seed the hash salt.

Since HAVE_SYSCALL_GETRANDOM, HAVE_ARC4RANDOM_BUF, HAVE_ARC4RANDOM, or XML_DEV_URANDOM are never defined by Python's pyconfig.h, older Linux platforms, any BSD, and any other Unix platform with /dev/urandom fall back to a weak Mersenne Twister-like RNG with gettimeofday().tv_usec and getpid() as seed.

I have contected Red Hat product security to request a CVE for the issue.

CVE-2018-14647 was assigned to this issue.

New changeset 026337a by Miss Islington (bot) (Christian Heimes) in branch 'master':
bpo-34623: Mention CVE-2018-14647 in news entry (GH-9482)
026337a

New changeset 10be1d3 by Miss Islington (bot) in branch '2.7':
[2.7] bpo-34623: Mention CVE-2018-14647 in news entry (GH-9482) (GH-9490)
10be1d3

New changeset d1b336e by Miss Islington (bot) in branch '3.6':
[3.6] bpo-34623: Mention CVE-2018-14647 in news entry (GH-9482) (GH-9489)
d1b336e

New changeset 5c3d8b2 by Miss Islington (bot) in branch '3.7':
[3.7] bpo-34623: Mention CVE-2018-14647 in news entry (GH-9482) (GH-9488)
5c3d8b2

Will this change be backported to 3.5 and 3.4? It applied cleanly on both however on 3.4 there is a test failure:

======================================================================
ERROR: test_del_attribute (test.test_xml_etree_c.MiscTests)
----------------------------------------------------------------------

Traceback (most recent call last):
  File "/builddir/build/BUILD/Python-3.4.9/Lib/test/test_xml_etree_c.py", line 26, in test_del_attribute
    element = cET.Element('tag')
AttributeError: 'NoneType' object has no attribute 'Element'

Will this change be backported to 3.5 and 3.4? It applied cleanly on both however on 3.4 there is a test failure:

It actually haven't applied cleanly to me on Python 3.4.6 (SLE-12 package). Apparently self->parser has to be changed into self_xp->parser. Then all tests passed for me.

If any Linux maintainer wants to take this patch.

New changeset d16eaf3 by larryhastings (stratakis) in branch '3.4':
[3.4] bpo-34623: Use XML_SetHashSalt in _elementtree (bpo-9953)
d16eaf3

New changeset 41b48e7 by larryhastings (stratakis) in branch '3.5':
[3.5] bpo-34623: Use XML_SetHashSalt in _elementtree (bpo-9933)
41b48e7