[issue29591] Various security vulnerabilities in bundled expat (CVE-2016-0718 and CVE-2016-4472)

[Jeremy Kloth]

Jeremy Kloth added the comment:

Added pull_request2355 to address issues from upgrading to Expat 2.2.0 on 
Windows 2.7

--
nosy: +jkloth

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29591] Various security vulnerabilities in bundled expat (CVE-2016-0718 and CVE-2016-4472)

[Jeremy Kloth]

Changes by Jeremy Kloth :


--
pull_requests: +2355

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29591] Various security vulnerabilities in bundled expat (CVE-2016-0718 and CVE-2016-4472)

[Ned Deily]

Ned Deily added the comment:

FYI, expat 2.2.1 has now been released.  See Issue30694 for details.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29591] Various security vulnerabilities in bundled expat (CVE-2016-0718 and CVE-2016-4472)

[Ned Deily]

Ned Deily added the comment:

Thanks, Victor, for seeing this through and thanks, everyone else, for the 
reviews and assistance.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29591] Various security vulnerabilities in bundled expat (CVE-2016-0718 and CVE-2016-4472)

[STINNER Victor]

STINNER Victor added the comment:


New changeset 8c797ed8a0fea5e3162b9415f13e270d4d5d9549 by Victor Stinner in 
branch '3.5':
bpo-29591: Upgrade Modules/expat to libexpat 2.2 (#2164) (#2201)
https://github.com/python/cpython/commit/8c797ed8a0fea5e3162b9415f13e270d4d5d9549


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29591] Various security vulnerabilities in bundled expat (CVE-2016-0718 and CVE-2016-4472)

[STINNER Victor]

STINNER Victor added the comment:


New changeset 0e4571a68a7f48e8469ef05b04ba3463d3fd82c0 by Victor Stinner in 
branch '2.7':
bpo-29591: Upgrade Modules/expat to libexpat 2.2 (#2164) (#2202)
https://github.com/python/cpython/commit/0e4571a68a7f48e8469ef05b04ba3463d3fd82c0


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29591] Various security vulnerabilities in bundled expat (CVE-2016-0718 and CVE-2016-4472)

[STINNER Victor]

STINNER Victor added the comment:

@Ned Deily: I removed the "release blocker" flag, since I just merged my PR to 
update libexpat to 2.2 in the Python 3.6 branch.

--
priority: release blocker -> 

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29591] Various security vulnerabilities in bundled expat (CVE-2016-0718 and CVE-2016-4472)

[STINNER Victor]

STINNER Victor added the comment:


New changeset 86b95370c45dedb8a56c9894372a43681de47a73 by Victor Stinner in 
branch '3.6':
bpo-29591: Upgrade Modules/expat to libexpat 2.2 (#2164) (#2200)
https://github.com/python/cpython/commit/86b95370c45dedb8a56c9894372a43681de47a73


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29591] Various security vulnerabilities in bundled expat (CVE-2016-0718 and CVE-2016-4472)

[STINNER Victor]

STINNER Victor added the comment:

Python 3.3 currently embeds a copy of libexpat 2.1.0, wheras other branches 
have libexpat 2.1.1:
http://python-security.readthedocs.io/vuln/issue_26556_expat_2.1.1.html

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29591] Various security vulnerabilities in bundled expat (CVE-2016-0718 and CVE-2016-4472)

[STINNER Victor]

Changes by STINNER Victor :


--
pull_requests: +2248

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29591] Various security vulnerabilities in bundled expat (CVE-2016-0718 and CVE-2016-4472)

[STINNER Victor]

Changes by STINNER Victor :


--
nosy: +georg.brandl
versions: +Python 3.3, Python 3.4

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29591] Various security vulnerabilities in bundled expat (CVE-2016-0718 and CVE-2016-4472)

[STINNER Victor]

Changes by STINNER Victor :


--
pull_requests: +2247

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29591] Various security vulnerabilities in bundled expat (CVE-2016-0718 and CVE-2016-4472)

[STINNER Victor]

Changes by STINNER Victor :


--
pull_requests: +2246

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29591] Various security vulnerabilities in bundled expat (CVE-2016-0718 and CVE-2016-4472)

[STINNER Victor]

Changes by STINNER Victor :


--
pull_requests: +2245

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29591] Various security vulnerabilities in bundled expat (CVE-2016-0718 and CVE-2016-4472)

[STINNER Victor]

Changes by STINNER Victor :


--
pull_requests: +2244

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29591] Various security vulnerabilities in bundled expat (CVE-2016-0718 and CVE-2016-4472)

[STINNER Victor]

STINNER Victor added the comment:


New changeset 23ec4b57e1359f9c539b8defc317542173ae087e by Victor Stinner in 
branch 'master':
bpo-29591: Upgrade Modules/expat to libexpat 2.2 (#2164)
https://github.com/python/cpython/commit/23ec4b57e1359f9c539b8defc317542173ae087e


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29591] Various security vulnerabilities in bundled expat (CVE-2016-0718 and CVE-2016-4472)

[STINNER Victor]

STINNER Victor added the comment:

I upgraded Modules/expat/ to expat 2.2 using attached rebuild_expat_dir.sh 
script:
https://github.com/python/cpython/pull/2164

TODO: Should be done later in the master branch, once the security fix is 
handled.

* Drop support for VMS? VMS support removed from Python 3.4. Remove 
Modules/expat/expat_config.h
* Drop support for the Open Watcom compiler? Compiler not supported by Python. 
Remove Modules/expat/watcomconfig.h
* Send Python downstream changes to expat upstream?

--
Added file: http://bugs.python.org/file46949/rebuild_expat_dir.sh

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29591] Various security vulnerabilities in bundled expat (CVE-2016-0718 and CVE-2016-4472)

[STINNER Victor]

Changes by STINNER Victor :


--
pull_requests: +2215

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29591] Various security vulnerabilities in bundled expat (CVE-2016-0718 and CVE-2016-4472)

[Ned Deily]

Changes by Ned Deily :


--
nosy: +matrixise

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29591] Various security vulnerabilities in bundled expat (CVE-2016-0718 and CVE-2016-4472)

[Ned Deily]

Ned Deily added the comment:

Note that a duplicate of this issue was opened as Issue30610 and @matrixise was 
working on a PR there to update the embedded expat to 2.2.0.  Since there are 
CVE's and a demo crash supplied in Issue30610, it seems to me we need to fix 
this for 3.6.2rc1 so I'm making this a "release blocker" and delaying the 
release.  I'm willing to be convinced otherwise.  Christian or Victor, can one 
of you please follow up on this for the 3.6 branch ASAP?  Thanks!

--
nosy: +benjamin.peterson, larry, ned.deily
priority: normal -> release blocker

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29591] Various security vulnerabilities in bundled expat (CVE-2016-0718 and CVE-2016-4472)

[STINNER Victor]

STINNER Victor added the comment:

I'm working on a new documentation of Python vulnerabilities to help to handle 
such issue:
http://python-security.readthedocs.io/en/latest/vulnerabilities.html

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29591] Various security vulnerabilities in bundled expat (CVE-2016-0718 and CVE-2016-4472)

[Natanael Copa]

Changes by Natanael Copa :


--
title: Various security vulnerabilities in bundled expat -> Various security 
vulnerabilities in bundled expat (CVE-2016-0718 and CVE-2016-4472)

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29591] Various security vulnerabilities in bundled expat

[Christian Heimes]

Changes by Christian Heimes :


--
assignee:  -> christian.heimes
components: +XML
stage:  -> needs patch
versions:  -Python 3.3, Python 3.4

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29591] Various security vulnerabilities in bundled expat

[Christian Heimes]

Christian Heimes added the comment:

CVE-2016-0718 and CVE-2016-4472 might be relevant for Python. CVE-2016-5300 and 
CVE-2012-6702 are irrelevant. As Victor already pointed out, Python seeds 
libexpat from a good CPRNG.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29591] Various security vulnerabilities in bundled expat

[Chi Hsuan Yen]

Changes by Chi Hsuan Yen :


--
nosy: +Chi Hsuan Yen

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29591] Various security vulnerabilities in bundled expat

[STINNER Victor]

STINNER Victor added the comment:

You may want to look also at https://pypi.python.org/pypi/defusedxml

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29591] Various security vulnerabilities in bundled expat

[STINNER Victor]

STINNER Victor added the comment:

> CVE-2012-6702 (issue 519)
> Resolve troublesome internal call to srand that was introduced with Expat 
> 2.1.0 when addressing CVE-2012-0876 (issue 496)

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6702

Extract of Modules/pyexpat.c:
---
#if ((XML_MAJOR_VERSION >= 2) && (XML_MINOR_VERSION >= 1)) || 
defined(XML_HAS_SET_HASH_SALT)
/* This feature was added upstream in libexpat 2.1.0.  Our expat copy
 * has a backport of this feature where we also define XML_HAS_SET_HASH_SALT
 * to indicate that we can still use it. */
XML_SetHashSalt(self->itself,
(unsigned long)_Py_HashSecret.prefix);
#endif
---

Python 2.7, 3.5, 3.6 and 3.7 have this call at least (I didn't check other 
versions).

--
nosy: +christian.heimes, haypo

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29591] Various security vulnerabilities in bundled expat

[Natanael Copa]

New submission from Natanael Copa:

cpython bundles expat in Modules/expat/ and needs to be updated to expat-2.2.0 
to fix various security vulnerabilities.

21 June 2016, Expat 2.2.0 released.
Release 2.2.0 includes security & other bug fixes.

Security fixes

CVE-2016-0718 (issue 537)
Fix crash on malformed input

CVE-2016-4472
Improve insufficient fix to CVE-2015-1283 / CVE-2015-2716 introduced with Expat 
2.1.1

CVE-2016-5300 (issue 499)
Use more entropy for hash initialization than the original fix to CVE-2012-0876

CVE-2012-6702 (issue 519)
Resolve troublesome internal call to srand that was introduced with Expat 2.1.0 
when addressing CVE-2012-0876 (issue 496)

Fix should be applied to all maintained python branches.

--
messages: 288014
nosy: Natanael Copa
priority: normal
severity: normal
status: open
title: Various security vulnerabilities in bundled expat
type: security
versions: Python 2.7, Python 3.3, Python 3.4, Python 3.5, Python 3.6, Python 3.7

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com