[issue34623] _elementtree.c doesn't call XML_SetHashSalt()

2019-05-10 Thread Ned Deily
Change by Ned Deily : -- Removed message: https://bugs.python.org/msg342101 ___ Python tracker ___ ___ Python-bugs-list mailing

[issue34623] _elementtree.c doesn't call XML_SetHashSalt()

2019-05-10 Thread Ned Deily
Ned Deily added the comment: New changeset d16eaf36795da48b930b80b20d3805bc27820712 by larryhastings (stratakis) in branch '3.4': [3.4] bpo-34623: Use XML_SetHashSalt in _elementtree (#9953) https://github.com/python/cpython/commit/d16eaf36795da48b930b80b20d3805bc27820712 -- nosy:

[issue34623] _elementtree.c doesn't call XML_SetHashSalt()

2019-02-28 Thread Larry Hastings
Change by Larry Hastings : -- resolution: -> fixed stage: patch review -> resolved status: open -> closed ___ Python tracker ___

[issue34623] _elementtree.c doesn't call XML_SetHashSalt()

2019-02-25 Thread Larry Hastings
Larry Hastings added the comment: New changeset 41b48e71ac8a71f56694b548f118bd20ce203410 by larryhastings (stratakis) in branch '3.5': [3.5] bpo-34623: Use XML_SetHashSalt in _elementtree (#9933) https://github.com/python/cpython/commit/41b48e71ac8a71f56694b548f118bd20ce203410 --

[issue34623] _elementtree.c doesn't call XML_SetHashSalt()

2019-02-25 Thread Larry Hastings
Larry Hastings added the comment: New changeset d16eaf36795da48b930b80b20d3805bc27820712 by larryhastings (stratakis) in branch '3.4': [3.4] bpo-34623: Use XML_SetHashSalt in _elementtree (#9953) https://github.com/python/cpython/commit/d16eaf36795da48b930b80b20d3805bc27820712 --

[issue34623] _elementtree.c doesn't call XML_SetHashSalt()

2019-01-25 Thread Matej Cepl
Matej Cepl added the comment: > Will this change be backported to 3.5 and 3.4? It applied cleanly on both > however on 3.4 there is a test failure: It actually haven't applied cleanly to me on Python 3.4.6 (SLE-12 package). Apparently self->parser has to be changed into self_xp->parser.

[issue34623] _elementtree.c doesn't call XML_SetHashSalt()

2018-10-18 Thread Serhiy Storchaka
Change by Serhiy Storchaka : -- assignee: -> larry nosy: +larry priority: normal -> release blocker versions: -Python 2.7, Python 3.6, Python 3.7, Python 3.8 ___ Python tracker

[issue34623] _elementtree.c doesn't call XML_SetHashSalt()

2018-10-18 Thread Charalampos Stratakis
Change by Charalampos Stratakis : -- pull_requests: +9301 ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue34623] _elementtree.c doesn't call XML_SetHashSalt()

2018-10-17 Thread Charalampos Stratakis
Change by Charalampos Stratakis : -- pull_requests: +9284 ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue34623] _elementtree.c doesn't call XML_SetHashSalt()

2018-10-15 Thread Charalampos Stratakis
Charalampos Stratakis added the comment: Will this change be backported to 3.5 and 3.4? It applied cleanly on both however on 3.4 there is a test failure: == ERROR: test_del_attribute (test.test_xml_etree_c.MiscTests)

[issue34623] _elementtree.c doesn't call XML_SetHashSalt()

2018-09-21 Thread miss-islington
miss-islington added the comment: New changeset 5c3d8b2efda1b99abe09ad925f366c5695bd66fb by Miss Islington (bot) in branch '3.7': [3.7] bpo-34623: Mention CVE-2018-14647 in news entry (GH-9482) (GH-9488) https://github.com/python/cpython/commit/5c3d8b2efda1b99abe09ad925f366c5695bd66fb

[issue34623] _elementtree.c doesn't call XML_SetHashSalt()

2018-09-21 Thread miss-islington
miss-islington added the comment: New changeset 10be1d3f802b874914b2a13eb41407c7a582d9b3 by Miss Islington (bot) in branch '2.7': [2.7] bpo-34623: Mention CVE-2018-14647 in news entry (GH-9482) (GH-9490) https://github.com/python/cpython/commit/10be1d3f802b874914b2a13eb41407c7a582d9b3

[issue34623] _elementtree.c doesn't call XML_SetHashSalt()

2018-09-21 Thread miss-islington
miss-islington added the comment: New changeset d1b336e530472f316b1d164d04626724c83b16d7 by Miss Islington (bot) in branch '3.6': [3.6] bpo-34623: Mention CVE-2018-14647 in news entry (GH-9482) (GH-9489) https://github.com/python/cpython/commit/d1b336e530472f316b1d164d04626724c83b16d7

[issue34623] _elementtree.c doesn't call XML_SetHashSalt()

2018-09-21 Thread miss-islington
Change by miss-islington : -- pull_requests: +8899 ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue34623] _elementtree.c doesn't call XML_SetHashSalt()

2018-09-21 Thread miss-islington
Change by miss-islington : -- pull_requests: +8900 ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue34623] _elementtree.c doesn't call XML_SetHashSalt()

2018-09-21 Thread miss-islington
miss-islington added the comment: New changeset 026337a7101369297c8083047d2f3c6fc9dd1e2b by Miss Islington (bot) (Christian Heimes) in branch 'master': bpo-34623: Mention CVE-2018-14647 in news entry (GH-9482) https://github.com/python/cpython/commit/026337a7101369297c8083047d2f3c6fc9dd1e2b

[issue34623] _elementtree.c doesn't call XML_SetHashSalt()

2018-09-21 Thread miss-islington
Change by miss-islington : -- pull_requests: +8898 ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue34623] _elementtree.c doesn't call XML_SetHashSalt()

2018-09-21 Thread Christian Heimes
Change by Christian Heimes : -- pull_requests: +8892 ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue34623] _elementtree.c doesn't call XML_SetHashSalt()

2018-09-21 Thread Christian Heimes
Christian Heimes added the comment: CVE-2018-14647 was assigned to this issue. -- ___ Python tracker ___ ___ Python-bugs-list

[issue34623] _elementtree.c doesn't call XML_SetHashSalt()

2018-09-21 Thread Christian Heimes
Christian Heimes added the comment: I have contected Red Hat product security to request a CVE for the issue. -- ___ Python tracker ___

[issue34623] _elementtree.c doesn't call XML_SetHashSalt()

2018-09-21 Thread Christian Heimes
Christian Heimes added the comment: The bug affects multiple platforms. libexpat's expat.h uses slightly different autoconf macro names than pyconfig.h. Therefore only platforms that have either HAVE_GETRANDOM or _WIN32 defined, use a proper CSPRNG to seed the hash salt. Since

[issue34623] _elementtree.c doesn't call XML_SetHashSalt()

2018-09-18 Thread miss-islington
miss-islington added the comment: New changeset f7666e828cc3d5873136473ea36ba2013d624fa1 by Miss Islington (bot) in branch '3.6': bpo-34623: Use XML_SetHashSalt in _elementtree (GH-9146) https://github.com/python/cpython/commit/f7666e828cc3d5873136473ea36ba2013d624fa1 --

[issue34623] _elementtree.c doesn't call XML_SetHashSalt()

2018-09-18 Thread miss-islington
miss-islington added the comment: New changeset 18b20bad75b4ff0486940fba4ec680e96e70f3a2 by Miss Islington (bot) (Christian Heimes) in branch '2.7': [2.7] bpo-34623: Use XML_SetHashSalt in _elementtree (GH-9146) (GH-9394)

[issue34623] _elementtree.c doesn't call XML_SetHashSalt()

2018-09-18 Thread miss-islington
miss-islington added the comment: New changeset 470a435f3b42c9be5fdb7f7b04f3df5663ba7305 by Miss Islington (bot) in branch '3.7': bpo-34623: Use XML_SetHashSalt in _elementtree (GH-9146) https://github.com/python/cpython/commit/470a435f3b42c9be5fdb7f7b04f3df5663ba7305 --

[issue34623] _elementtree.c doesn't call XML_SetHashSalt()

2018-09-18 Thread Christian Heimes
Change by Christian Heimes : -- pull_requests: +8818 ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue34623] _elementtree.c doesn't call XML_SetHashSalt()

2018-09-18 Thread Christian Heimes
Christian Heimes added the comment: Since it's a security fix, the change should land in 3.4 and 3.5, too. -- versions: +Python 2.7, Python 3.4, Python 3.5 ___ Python tracker

[issue34623] _elementtree.c doesn't call XML_SetHashSalt()

2018-09-18 Thread miss-islington
Change by miss-islington : -- pull_requests: +8817 ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue34623] _elementtree.c doesn't call XML_SetHashSalt()

2018-09-18 Thread miss-islington
Change by miss-islington : -- pull_requests: +8816 ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue34623] _elementtree.c doesn't call XML_SetHashSalt()

2018-09-18 Thread miss-islington
miss-islington added the comment: New changeset cb5778f00ce48631c7140f33ba242496aaf7102b by Miss Islington (bot) (Christian Heimes) in branch 'master': bpo-34623: Use XML_SetHashSalt in _elementtree (GH-9146) https://github.com/python/cpython/commit/cb5778f00ce48631c7140f33ba242496aaf7102b

[issue34623] _elementtree.c doesn't call XML_SetHashSalt()

2018-09-10 Thread Christian Heimes
Christian Heimes added the comment: Dang, it's a security bug after all. :( 3.5 has 2.2.4, so it's fine. 2.2.2 had a bug in salt initialization. -- type: behavior -> security versions: +Python 3.6, Python 3.7 ___ Python tracker

[issue34623] _elementtree.c doesn't call XML_SetHashSalt()

2018-09-10 Thread STINNER Victor
STINNER Victor added the comment: > Note we compile expat with -DXML_POOR_ENTROPY on the assumption that Python > always initializes the entropy itself. Oh. I forgot this thing. So it seems like we have to backport this change to 2.7, 3.6 and newer versions. What about Python 3.4 and 3.5?

[issue34623] _elementtree.c doesn't call XML_SetHashSalt()

2018-09-10 Thread Benjamin Peterson
Benjamin Peterson added the comment: Note we compile expat with -DXML_POOR_ENTROPY on the assumption that Python always initializes the entropy itself. -- nosy: +benjamin.peterson ___ Python tracker

[issue34623] _elementtree.c doesn't call XML_SetHashSalt()

2018-09-10 Thread Christian Heimes
Change by Christian Heimes : -- keywords: +patch pull_requests: +8594 stage: -> patch review ___ Python tracker ___ ___

[issue34623] _elementtree.c doesn't call XML_SetHashSalt()

2018-09-10 Thread Christian Heimes
New submission from Christian Heimes : The pyexpat module calls XML_SetHashSalt(self->itself, (unsigned long)_Py_HashSecret.expat.hashsalt) to initialize the salt for hash randomization of the XML_Parser struct. The _elementree C accelerator doesn't call XML_SetHashSalt().