Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security vulnerability in bundled expat CVE-2019-15903 (fix available in expat 2.2.8) #82355

Closed
UcheOgbuji mannequin opened this issue Sep 14, 2019 · 12 comments
Closed
Labels
3.7 (EOL) end of life 3.8 (EOL) end of life 3.9 only security fixes topic-XML type-security A security issue

Comments

@UcheOgbuji
Copy link
Mannequin

UcheOgbuji mannequin commented Sep 14, 2019

BPO 38174
Nosy @vstinner, @larryhastings, @benjaminp, @ned-deily
PRs
  • closes bpo-38174: Update vendored expat library to 2.2.8. #16346
  • [3.7] closes bpo-38174: Update vendored expat library to 2.2.8. (GH-16346) #16407
  • [2.7] closes bpo-38174: Update vendored expat library to 2.2.8. (GH-16346) #16408
  • [3.8] closes bpo-38174: Update vendored expat library to 2.2.8. (GH-16346) #16409
  • [3.6] closes bpo-38174: Update vendored expat library to 2.2.8. (GH-16346) #16410
  • [2.7] bpo-38174 follow up: Remove loadlibrary.c from VS9.0. #16411
  • [3.5] closes bpo-38174: Update vendored expat library to 2.2.8. (GH-16346) #16434
  • Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

    Show more details

    GitHub fields:

    assignee = None
    closed_at = <Date 2019-10-09.05:34:30.679>
    created_at = <Date 2019-09-14.20:10:07.191>
    labels = ['type-security', 'expert-XML', '3.7', '3.8', '3.9']
    title = 'Security vulnerability in bundled expat CVE-2019-15903 (fix available in expat 2.2.8)'
    updated_at = <Date 2019-10-09.05:34:30.678>
    user = 'https://bugs.python.org/UcheOgbuji'

    bugs.python.org fields:

    activity = <Date 2019-10-09.05:34:30.678>
    actor = 'larry'
    assignee = 'none'
    closed = True
    closed_date = <Date 2019-10-09.05:34:30.679>
    closer = 'larry'
    components = ['XML']
    creation = <Date 2019-09-14.20:10:07.191>
    creator = 'Uche Ogbuji'
    dependencies = []
    files = []
    hgrepos = []
    issue_num = 38174
    keywords = ['patch']
    message_count = 12.0
    messages = ['352449', '353258', '353259', '353260', '353261', '353262', '353265', '353273', '353274', '353342', '353423', '354248']
    nosy_count = 5.0
    nosy_names = ['vstinner', 'larry', 'benjamin.peterson', 'ned.deily', 'Uche Ogbuji']
    pr_nums = ['16346', '16407', '16408', '16409', '16410', '16411', '16434']
    priority = 'normal'
    resolution = 'fixed'
    stage = 'resolved'
    status = 'closed'
    superseder = None
    type = 'security'
    url = 'https://bugs.python.org/issue38174'
    versions = ['Python 2.7', 'Python 3.5', 'Python 3.6', 'Python 3.7', 'Python 3.8', 'Python 3.9']

    @UcheOgbuji
    Copy link
    Mannequin Author

    UcheOgbuji mannequin commented Sep 14, 2019

    cpython bundles expat in Modules/expat/ and needs to be updated to expat-2.2.8 to security vulnerability CVE-2019-15903.

    From Sebastian Pipping on XML-DEV ML:

    Expat 2.2.8 [1] has been released yesterday. This release fixes a
    security issue — a heap buffer over-read known as CVE-2019-15903 [2]
    reported by Joonun Jang resulting in Denial of Service —, starts using
    the rand_s function on Windows and MinGW (ending the previous
    LoadLibrary hack), includes non-security bugfixes, many build system
    fixes and improvements, improvements to xmlwf usability, and more.

    For more details regarding the latest release, please check out the
    changelog [3].

    If you maintain Expat packaging or a bundled copy of Expat or a pinned
    version of Expat somewhere, please update to 2.2.8. Thank you!

    [1] https://github.com/libexpat/libexpat/releases/tag/R_2_2_8
    [2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15903
    [3] https://github.com/libexpat/libexpat/blob/R_2_2_8/expat/Changes

    @UcheOgbuji UcheOgbuji mannequin added 3.7 (EOL) end of life 3.8 (EOL) end of life 3.9 only security fixes topic-XML type-security A security issue labels Sep 14, 2019
    @benjaminp
    Copy link
    Contributor

    New changeset 52b9408 by Benjamin Peterson in branch 'master':
    closes bpo-38174: Update vendored expat library to 2.2.8. (GH-16346)
    52b9408

    @benjaminp
    Copy link
    Contributor

    New changeset e73b93a by Benjamin Peterson in branch '2.7':
    [2.7] closes bpo-38174: Update vendored expat library to 2.2.8. (GH-16408)
    e73b93a

    @benjaminp
    Copy link
    Contributor

    New changeset 8e4622e by Benjamin Peterson in branch '3.7':
    [3.7] closes bpo-38174: Update vendored expat library to 2.2.8. (GH-16407)
    8e4622e

    @benjaminp
    Copy link
    Contributor

    New changeset d75bf44 by Benjamin Peterson in branch '3.8':
    [3.8] closes bpo-38174: Update vendored expat library to 2.2.8. (GH-16409)
    d75bf44

    @benjaminp
    Copy link
    Contributor

    New changeset f050163 by Benjamin Peterson in branch '3.6':
    [3.6] closes bpo-38174: Update vendored expat library to 2.2.8. (GH-16410)
    f050163

    @benjaminp
    Copy link
    Contributor

    New changeset 90b4e49 by Benjamin Peterson in branch '2.7':
    bpo-38174 follow up: Remove loadlibrary.c from VS9.0. (GH-16411)
    90b4e49

    @vstinner
    Copy link
    Member

    New changeset 90b4e49 by Benjamin Peterson in branch '2.7':
    bpo-38174 follow up: Remove loadlibrary.c from VS9.0. (GH-16411)

    Oh, I was going to report AMD64 Windows7 SP1 VS9.0 2.7 buildbot failure and propose a fix, but you already fixed it. Thanks!
    https://buildbot.python.org/all/#/builders/26/builds/334

    @vstinner
    Copy link
    Member

    Benjamin: Python 3.5 is in the Versions field, but I don't see any change related to 3.5 yet. It's also impacted, no? Do you plan to backport the fix? I can do it if you want.

    @vstinner vstinner reopened this Sep 26, 2019
    @benjaminp
    Copy link
    Contributor

    You're welcome to 3.5.

    On Thu, Sep 26, 2019, at 00:23, STINNER Victor wrote:

    STINNER Victor <vstinner@python.org> added the comment:

    Benjamin: Python 3.5 is in the Versions field, but I don't see any
    change related to 3.5 yet. It's also impacted, no? Do you plan to
    backport the fix? I can do it if you want.

    ----------
    resolution: fixed ->
    status: closed -> open


    Python tracker <report@bugs.python.org>
    <https://bugs.python.org/issue38174\>


    @ned-deily
    Copy link
    Member

    Perhaps this should be a release blocker for 3.5.8. Larry?

    @larryhastings
    Copy link
    Contributor

    New changeset c386c8b by larryhastings (Victor Stinner) in branch '3.5':
    closes bpo-38174: Update vendored expat library to 2.2.8. (GH-16346) (bpo-16434)
    c386c8b

    @ezio-melotti ezio-melotti transferred this issue from another repository Apr 10, 2022
    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
    Labels
    3.7 (EOL) end of life 3.8 (EOL) end of life 3.9 only security fixes topic-XML type-security A security issue
    Projects
    None yet
    Development

    No branches or pull requests

    4 participants