| msg395634 - (view) |
Author: STINNER Victor (vstinner) *  |
Date: 2021-06-11 14:14 |
| Our vendored copy of Modules/expat/ should be updated to Expat 2.4.1 to retrieve the fix for the security vulnerabily CVE-2013-0340 "Billion Laughs": https://blog.hartwork.org/posts/cve-2013-0340-billion-laughs-fixed-in-expat-2-4-0/ The table of vulnerabilities in Python XML parsers should be updated as well: https://docs.python.org/dev/library/xml.html#xml-vulnerabilities My outdated notes on Modules/expat/: copy of libexpat * ./configure --with-system-expat * Rationale: https://mail.python.org/pipermail/python-dev/2017-June/148287.html * Used on Windows and macOS, Linux distributions use system libexpat * Version: search for XML_MAJOR_VERSION in Modules/expat/expat.h * Script to update it: see attached script to https://bugs.python.org/issue30947 * Recent update: https://bugs.python.org/issue30947 * Python 2.7, 3.3-3.6 use libexpat 2.2.1 https://pythondev.readthedocs.io/files.html |
|
|
| msg395642 - (view) |
Author: Guido van Rossum (gvanrossum) * |
Date: 2021-06-11 15:46 |
| (From PSRT list, Sebastian:) Please note that the vulnerability fix also added two new functions to the API that would be great to have xml.parsers.expat expose to the users for full control. These are: - XML_SetBillionLaughsAttackProtectionMaximumAmplification and - XML_SetBillionLaughsAttackProtectionActivationThreshold Module xml.parsers.expat.errors and its docs also needs 6 new error code entries to be complete: /* Added in 2.0. */ 38 XML_ERROR_RESERVED_PREFIX_XML 39 XML_ERROR_RESERVED_PREFIX_XMLNS 40 XML_ERROR_RESERVED_NAMESPACE_URI /* Added in 2.2.1. */ 41 XML_ERROR_INVALID_ARGUMENT /* Added in 2.3.0. */ 42 XML_ERROR_NO_BUFFER /* Added in 2.4.0. */ 43 XML_ERROR_AMPLIFICATION_LIMIT_BREACH With regard to the table of vulnerabilities mentioned in the ticket, please note that vulnerability "quadratic blowup" is also fixed by >=2.4.0. Personally, I consider it a flavor of Billion Laughs and all know variations are covered, including that one. |
|
|
| msg395649 - (view) |
Author: (sping) * |
Date: 2021-06-11 17:03 |
| FTR that^^ Sebastian is me :) |
|
|
| msg396688 - (view) |
Author: STINNER Victor (vstinner) * |
Date: 2021-06-29 00:57 |
| Attached cpython_rebuild_expat_dir.sh script updates Modules/expat/ to our libexpat copy to 2.4.1. I used it to create attached PR 26945. |
|
|
| msg400534 - (view) |
Author: Łukasz Langa (lukasz.langa) * |
Date: 2021-08-29 14:08 |
| New changeset 3fc5d84046ddbd66abac5b598956ea34605a4e5d by Victor Stinner in branch 'main': bpo-44394: Update libexpat copy to 2.4.1 (GH-26945) https://github.com/python/cpython/commit/3fc5d84046ddbd66abac5b598956ea34605a4e5d |
|
|
| msg400537 - (view) |
Author: Łukasz Langa (lukasz.langa) * |
Date: 2021-08-29 14:31 |
| New changeset c9c2a0bc9820f93f1020f3498f6893a3544c9b76 by Miss Islington (bot) in branch '3.8': bpo-44394: Update libexpat copy to 2.4.1 (GH-26945) (GH-28033) https://github.com/python/cpython/commit/c9c2a0bc9820f93f1020f3498f6893a3544c9b76 |
|
|
| msg400538 - (view) |
Author: miss-islington (miss-islington) |
Date: 2021-08-29 14:32 |
| New changeset 270678564c16452614a8acd93763bdf64fb4d286 by Miss Islington (bot) in branch '3.10': bpo-44394: Update libexpat copy to 2.4.1 (GH-26945) https://github.com/python/cpython/commit/270678564c16452614a8acd93763bdf64fb4d286 |
|
|
| msg400539 - (view) |
Author: Łukasz Langa (lukasz.langa) * |
Date: 2021-08-29 14:36 |
| New changeset 007221a43e566db08c0c5c00756d80dfd9dccafe by Miss Islington (bot) in branch '3.9': bpo-44394: Update libexpat copy to 2.4.1 (GH-26945) (GH-28032) https://github.com/python/cpython/commit/007221a43e566db08c0c5c00756d80dfd9dccafe |
|
|
| msg400547 - (view) |
Author: Łukasz Langa (lukasz.langa) * |
Date: 2021-08-29 15:24 |
| 3.6 will need a separate backport because it's using expat 2.2.6 at the moment (from b2260e59ff1eaf20de4738099005ddf507b7b27d). 3.7 conflicted since it didn't include local changes to the vendored 2.2.8 that were introduced in 3.8+. I fixed that, the backport is up. |
|
|
| msg400601 - (view) |
Author: STINNER Victor (vstinner) * |
Date: 2021-08-30 13:39 |
| I created https://python-security.readthedocs.io/vuln/expat-billion-laughs.html to track this vulnerability. |
|
|
| msg400691 - (view) |
Author: Ned Deily (ned.deily) * |
Date: 2021-08-31 05:12 |
| New changeset 79101b890ee021a901a8b6837a3a320d57adb725 by Łukasz Langa in branch '3.7': [3.7] bpo-44394: Update libexpat copy to 2.4.1 (GH-26945) (GH-28042) https://github.com/python/cpython/commit/79101b890ee021a901a8b6837a3a320d57adb725 |
|
|
| msg400694 - (view) |
Author: Ned Deily (ned.deily) * |
Date: 2021-08-31 06:35 |
| New changeset 910886a6448e4bf1edf49eeace4aa240b6403772 by Ned Deily in branch '3.6': [3.6] bpo-44394: Update libexpat copy to 2.4.1 (GH-26945) (GH-28042) (GH-28080) https://github.com/python/cpython/commit/910886a6448e4bf1edf49eeace4aa240b6403772 |
|
|
| msg400695 - (view) |
Author: Ned Deily (ned.deily) * |
Date: 2021-08-31 07:05 |
| PRs merged in 3.7 branch for release in 3.7.12 and in 3.6 branch for release in 3.6.15. |
|
|
| msg402783 - (view) |
Author: Pablo Galindo Salgado (pablogsal) * |
Date: 2021-09-28 15:43 |
| The backport to 3.8 broke 3.8.12 in AIX: 0/Modules/_decimal/libmpdec/sixstep.o build/temp.aix-7.1-3.8/tmp/python3.8-3.8.12-0/Modules/_decimal/libmpdec/transpose.o -L. -L/opt/bb/lib -L/opt/bb/lib64 -R/opt/bb/lib64 -lm -o build/lib.aix-7.1-3.8/_decimal.cpython-38.so *** WARNING: renaming "pyexpat" since importing it failed: rtld: 0712-001 Symbol _isnanf was referenced from module build/lib.aix-7.1-3.8/pyexpat.cpython-38.so(), but a runtime definition of the symbol was not found. |
|
|
| msg402797 - (view) |
Author: (sping) * |
Date: 2021-09-28 17:56 |
| For the AIX link error that Pablo brought up, there is merged pull request https://github.com/libexpat/libexpat/pull/510 upstream. |
|
|
| msg402869 - (view) |
Author: Pablo Galindo Salgado (pablogsal) * |
Date: 2021-09-29 13:18 |
| New changeset 6c1154b9de29e1c9cd3d05f5289543e5cff73895 by Pablo Galindo Salgado in branch 'main': bpo-44394: Ensure libexpat is linked against libm (GH-28617) https://github.com/python/cpython/commit/6c1154b9de29e1c9cd3d05f5289543e5cff73895 |
|
|
| msg402872 - (view) |
Author: miss-islington (miss-islington) |
Date: 2021-09-29 13:48 |
| New changeset fafa213870193cf79557588ae8f9a4af570fd6e3 by Miss Islington (bot) in branch '3.9': bpo-44394: Ensure libexpat is linked against libm (GH-28617) https://github.com/python/cpython/commit/fafa213870193cf79557588ae8f9a4af570fd6e3 |
|
|
| msg402875 - (view) |
Author: Łukasz Langa (lukasz.langa) * |
Date: 2021-09-29 14:13 |
| New changeset 412ae8ab10734b72384c969181919cc4eb154406 by Miss Islington (bot) in branch '3.10': [3.10] bpo-44394: Ensure libexpat is linked against libm (GH-28617) (GH-28621) https://github.com/python/cpython/commit/412ae8ab10734b72384c969181919cc4eb154406 |
|
|
| msg402880 - (view) |
Author: Łukasz Langa (lukasz.langa) * |
Date: 2021-09-29 14:36 |
| New changeset 90004fca1cc3c6e3c9b2c3faae5cb1b7d7711648 by Miss Islington (bot) in branch '3.8': [3.8] bpo-44394: Ensure libexpat is linked against libm (GH-28617) (GH-28620) https://github.com/python/cpython/commit/90004fca1cc3c6e3c9b2c3faae5cb1b7d7711648 |
|
|
| msg409459 - (view) |
Author: Stefan Behnel (scoder) * |
Date: 2022-01-01 14:27 |
| I'd like to ask for clarification regarding issue 45321, which adds the missing error constants to the `expat` module. I consider those new features – it seems inappropriate to add new module constants in the middle of a release series. However, in this ticket here, the libexpat version was updated all the way back to Py3.6, to solve a security issue. Should we also backport the error constants then? |
|
|