-
-
Notifications
You must be signed in to change notification settings - Fork 31.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[security] CVE-2013-0340 "Billion Laughs" fixed in Expat >=2.4.0: Update vendored copy to expat 2.4.1 #88560
Comments
Our vendored copy of Modules/expat/ should be updated to Expat 2.4.1 to retrieve the fix for the security vulnerabily CVE-2013-0340 "Billion Laughs": The table of vulnerabilities in Python XML parsers should be updated as well: My outdated notes on Modules/expat/: copy of libexpat
|
(From PSRT list, Sebastian:) Please note that the vulnerability fix also added two new functions to
Module xml.parsers.expat.errors and its docs also needs 6 new error code /* Added in 2.0. */ /* Added in 2.2.1. */ /* Added in 2.3.0. */ /* Added in 2.4.0. */ With regard to the table of vulnerabilities mentioned in the ticket,
|
FTR that^^ Sebastian is me :) |
Attached cpython_rebuild_expat_dir.sh script updates Modules/expat/ to our libexpat copy to 2.4.1. I used it to create attached PR 26945. |
3.6 will need a separate backport because it's using expat 2.2.6 at the moment (from b2260e5). 3.7 conflicted since it didn't include local changes to the vendored 2.2.8 that were introduced in 3.8+. I fixed that, the backport is up. |
I created https://python-security.readthedocs.io/vuln/expat-billion-laughs.html to track this vulnerability. |
PRs merged in 3.7 branch for release in 3.7.12 and in 3.6 branch for release in 3.6.15. |
The backport to 3.8 broke 3.8.12 in AIX: 0/Modules/_decimal/libmpdec/sixstep.o build/temp.aix-7.1-3.8/tmp/python3.8-3.8.12-0/Modules/_decimal/libmpdec/transpose.o -L. -L/opt/bb/lib -L/opt/bb/lib64 -R/opt/bb/lib64 -lm -o build/lib.aix-7.1-3.8/_decimal.cpython-38.so *** WARNING: renaming "pyexpat" since importing it failed: rtld: 0712-001 Symbol _isnanf was referenced |
For the AIX link error that Pablo brought up, there is merged pull request libexpat/libexpat#510 upstream. |
I'd like to ask for clarification regarding bpo-45321, which adds the missing error constants to the Should we also backport the error constants then? |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: