bpo-44394: Update libexpat copy to 2.4.1 #26945
Conversation
Update the vendored copy of libexpat to 2.4.1 (from 2.2.8) to get the fix for the CVE-2013-0340 "Billion Laughs" vulnerability. This copy is most used on Windows and macOS.
|
cc @tiran: please have a look at the XML vulnerability documentation change. I'm not sure that pyexpat is used by all Python XML parsers. |
|
I used cpython_rebuild_expat_dir.sh script attached to https://bugs.python.org/issue44394 to created this PR, then I manually reverted the following change: I tested this PR with the command: test_pyexpat pass successfully. Manual test to ensure that the Python libexpat is not listed in the library dependencies, so it's ok. |
Doc/library/xml.rst
Outdated
| @@ -63,19 +63,21 @@ the various modules are vulnerable to them. | |||
| ========================= ============== =============== ============== ============== ============== | |||
| kind sax etree minidom pulldom xmlrpc | |||
| ========================= ============== =============== ============== ============== ============== | |||
| billion laughs **Vulnerable** **Vulnerable** **Vulnerable** **Vulnerable** **Vulnerable** | |||
| billion laughs Safe (1) Safe (1) Safe (1) Safe (1) Safe (1) | |||
I'm against marking it safe until Python no longer supports libexpat <= 2.4.0.
That's a fair point. Any ideas how to best communicate it in this table?
Vulnerable or Safe depends on the libexpat version, that's what I wrote in the footnote (1). I explain how how to check manually if your Python is vulnerable or not.
@tiran How do you want to explain that it depends on the libexpat version in this table, if you are unhappy with "Safe (1)"?
Do **Vulnerable** (1) until all relevant Linux distros have fixed libexpat: all supported CentOS streams, Debian stables, RHELs, Ubuntu LTS, etc.
|
@vstinner the two new API functions and the new error codes do not seem included, yet. Did you see https://bugs.python.org/msg395642 ? |
@vstinner I'm not entirely sure what the idea is with that test but libexpat is listed for me on Linux: |
That's a new feature, it cannot be backported to older Python versions. I'm not interested to write a PR to implement it. This PR is restricted to updated libexpat so it can be backported to all Python versions which still accept security fixes. |
The new API and error codes are part of the security fix. |
|
This PR is stale because it has been open for 30 days with no activity. |
Update the vendored copy of libexpat to 2.4.1 (from 2.2.8) to get the fix for the CVE-2013-0340 "Billion Laughs" vulnerability. This copy is most used on Windows and macOS. Co-authored-by: Łukasz Langa <[email protected]> (cherry picked from commit 3fc5d84) Co-authored-by: Victor Stinner <[email protected]>
|
GH-28031 is a backport of this pull request to the 3.10 branch. |
|
GH-28032 is a backport of this pull request to the 3.9 branch. |
Update the vendored copy of libexpat to 2.4.1 (from 2.2.8) to get the fix for the CVE-2013-0340 "Billion Laughs" vulnerability. This copy is most used on Windows and macOS. Co-authored-by: Łukasz Langa <[email protected]> (cherry picked from commit 3fc5d84) Co-authored-by: Victor Stinner <[email protected]>
|
GH-28033 is a backport of this pull request to the 3.8 branch. |
|
Sorry, @vstinner and @ambv, I could not cleanly backport this to |
|
Sorry @vstinner and @ambv, I had trouble checking out the |
|
@ned-deily, this is marked as needing backport to 3.6 and 3.7 as well. Since there's conflicts, please let me know if I should work on that. |
Update the vendored copy of libexpat to 2.4.1 (from 2.2.8) to get the fix for the CVE-2013-0340 "Billion Laughs" vulnerability. This copy is most used on Windows and macOS. Co-authored-by: Łukasz Langa <[email protected]> (cherry picked from commit 3fc5d84) Co-authored-by: Victor Stinner <[email protected]>
Update the vendored copy of libexpat to 2.4.1 (from 2.2.8) to get the fix for the CVE-2013-0340 "Billion Laughs" vulnerability. This copy is most used on Windows and macOS. Co-authored-by: Łukasz Langa <[email protected]> (cherry picked from commit 3fc5d84) Co-authored-by: Victor Stinner <[email protected]>
Update the vendored copy of libexpat to 2.4.1 (from 2.2.8) to get the fix for the CVE-2013-0340 "Billion Laughs" vulnerability. This copy is most used on Windows and macOS. Co-authored-by: Łukasz Langa <[email protected]> (cherry picked from commit 3fc5d84) Co-authored-by: Victor Stinner <[email protected]>
Update the vendored copy of libexpat to 2.4.1 (from 2.2.8) to get the fix for the CVE-2013-0340 "Billion Laughs" vulnerability. This copy is most used on Windows and macOS. Co-authored-by: Łukasz Langa <[email protected]>. (cherry picked from commit 3fc5d84) Co-authored-by: Victor Stinner <[email protected]>
|
GH-28042 is a backport of this pull request to the 3.7 branch. |
|
Thanks for the update @ambv! I failed to find time to update this PR this summer ;-) |
Update the vendored copy of libexpat to 2.4.1 (from 2.2.8) to get the fix for the CVE-2013-0340 "Billion Laughs" vulnerability. This copy is most used on Windows and macOS. Co-authored-by: Victor Stinner <[email protected]> Co-authored-by: Łukasz Langa <[email protected]>. (cherry picked from commit 3fc5d84)
…onGH-28042) Update the vendored copy of libexpat to 2.4.1 (from 2.2.8) to get the fix for the CVE-2013-0340 "Billion Laughs" vulnerability. This copy is most used on Windows and macOS. Co-authored-by: Victor Stinner <[email protected]> Co-authored-by: Łukasz Langa <[email protected]>. (cherry picked from commit 3fc5d84)
…H-28080) Update the vendored copy of libexpat to 2.4.1 (from 2.2.8) to get the fix for the CVE-2013-0340 "Billion Laughs" vulnerability. This copy is most used on Windows and macOS. Co-authored-by: Victor Stinner <[email protected]> Co-authored-by: Łukasz Langa <[email protected]>. (cherry picked from commit 3fc5d84)
Update the vendored copy of libexpat to 2.4.1 (from 2.2.8) to get the
fix for the CVE-2013-0340 "Billion Laughs" vulnerability. This copy
is most used on Windows and macOS.
https://bugs.python.org/issue44394
The text was updated successfully, but these errors were encountered: