-
-
Notifications
You must be signed in to change notification settings - Fork 31.7k
Update embeded copy of libexpat from 2.2.1 to 2.2.3 #75130
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Comments
libexpat released a new version 2.2.2 which seems to contain 2 or 3 security fixes. I'm not sure that Python is affected by these bugs. https://github.com/libexpat/libexpat/blob/R_2_2_2/expat/Changes#L5 Release 2.2.2 Wed July 12 2017
Radically Open Security -- Previous issue for expat 2.2.1: issue bpo-30694. |
FYI this change only impacts Python 2.7, since Python 3.3 and newer requires Visual Studio 2010 or newer, and I already backported (cherry-picked) this specific commit in Python 2.7:
That's my small contribution, so coming from CPython :-)
Nice contributions from Segev Finer, coming from CPython ;-)
Another contribution of Segev Finer, already fixed downstream (in Python): |
About the 3 security fixes (is the last change a security fix?). """ Since Python uses its own entropy source, I don't think that this change impacts us. """ I don't understand the consequence of this specific bug. libexpat/libexpat@95b9503 """ I'm not sure that it's possible to call XML_Parse() with NULL in Python. |
Expat 2.2.3 was released: Release 2.2.3 Wed August 2 2017
Core Infrastructure Initiative |
Previous update: bpo-30694. |
cpython_rebuild_expat_dir.sh: Script used to update Modules/expat/ to 2.2.3. The script now uses the libexpat Git repository. Previously, I used tarballs. |
I don't think that this bug affects Python since Python sets a hash secret. |
Could the updating script be added into the CPython repository? |
If libexpat is upgraded in Python 2.7, the new Modules/expat/loadlibrary.c should also be added to PC/VS9.0/ project files, as I did for PCbuild. Note: PC/VS7.1/ and PC/VS8.0/ are likely broken and don't need to be updated, right? |
Expat 2.2.3 has a bug: see bpo-31170 :-( |
libexpat has been upgraded from 2.2.1 to 2.2.4 in 2.7, 3.4, 3.5, 3.6 and master branches. |
And in 3.3. |
Victor, the PR for this BPO has introduced XML_POOR_ENTROPY. Neither the commit message nor the issue explains why. Which platform failed to compile without XML_POOR_ENTROPY? |
Christian Heimes <lists@cheimes.de> added the comment:
And, maybe: "Oh, compilation fails on Travis CI at:" And my rationale is (extract of setup.py):
But I'm wrong if I understood what you told me last week. |
Do you remember which platform failed? It doesn't say on the GH PR either. See bpo-34623 for security bug. We only set good salt for pyexpat based parsers (sax, dom, pure Python etree), but not for the C-accelerated ElementTree implementation. |
It was the Linux job of Travis CI, something like an old Ubuntu LTS version. Since Travis CI prevented me to merge anything and Python already has access to a safe PRNG, I didn't worry about that issue. The disabled code shouldn't be needed on Python. |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: