-
-
Notifications
You must be signed in to change notification settings - Fork 30.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
_elementtree.c doesn't call XML_SetHashSalt() #78804
Comments
The pyexpat module calls XML_SetHashSalt(self->itself, (unsigned long)_Py_HashSecret.expat.hashsalt) to initialize the salt for hash randomization of the XML_Parser struct. The _elementree C accelerator doesn't call XML_SetHashSalt(). It's not a security issue with recent versions of libexpat. The library initializes the salt from a good entry source by default. |
Note we compile expat with -DXML_POOR_ENTROPY on the assumption that Python always initializes the entropy itself. |
Oh. I forgot this thing. So it seems like we have to backport this change to 2.7, 3.6 and newer versions. What about Python 3.4 and 3.5? Python 3.5 has a copy of libexpat 2.2.0, but setup.py doesn't build expat with XML_POOR_ENTROPY=1. |
Dang, it's a security bug after all. :( 3.5 has 2.2.4, so it's fine. 2.2.2 had a bug in salt initialization. |
Since it's a security fix, the change should land in 3.4 and 3.5, too. |
The bug affects multiple platforms. libexpat's expat.h uses slightly different autoconf macro names than pyconfig.h. Therefore only platforms that have either HAVE_GETRANDOM or _WIN32 defined, use a proper CSPRNG to seed the hash salt. Since HAVE_SYSCALL_GETRANDOM, HAVE_ARC4RANDOM_BUF, HAVE_ARC4RANDOM, or XML_DEV_URANDOM are never defined by Python's pyconfig.h, older Linux platforms, any BSD, and any other Unix platform with /dev/urandom fall back to a weak Mersenne Twister-like RNG with gettimeofday().tv_usec and getpid() as seed. |
I have contected Red Hat product security to request a CVE for the issue. |
CVE-2018-14647 was assigned to this issue. |
New changeset 026337a by Miss Islington (bot) (Christian Heimes) in branch 'master': |
Will this change be backported to 3.5 and 3.4? It applied cleanly on both however on 3.4 there is a test failure: ====================================================================== Traceback (most recent call last):
File "/builddir/build/BUILD/Python-3.4.9/Lib/test/test_xml_etree_c.py", line 26, in test_del_attribute
element = cET.Element('tag')
AttributeError: 'NoneType' object has no attribute 'Element' |
It actually haven't applied cleanly to me on Python 3.4.6 (SLE-12 package). Apparently self->parser has to be changed into self_xp->parser. Then all tests passed for me. If any Linux maintainer wants to take this patch. |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: