subject:"\[issue44394\] \[security\] CVE\-2013\-0340 \"Billion Laughs\" fixed in Expat >=2.4.0\: Updated to vendoed copy to expat 2.4.1"

[issue44394] [security] CVE-2013-0340 "Billion Laughs" fixed in Expat >=2.4.0: Updated to vendoed copy to expat 2.4.1

2021-06-11 Thread sping



sping  added the comment:

FTR that^^ Sebastian is me :)

--
nosy: +sping

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue44394] [security] CVE-2013-0340 "Billion Laughs" fixed in Expat >=2.4.0: Updated to vendoed copy to expat 2.4.1

2021-06-11 Thread Guido van Rossum



Guido van Rossum  added the comment:

(From PSRT list, Sebastian:)

 Please note that the vulnerability fix also added two new functions to
the API that would be great to have xml.parsers.expat expose to the
users for full control.  These are:

- XML_SetBillionLaughsAttackProtectionMaximumAmplification and
- XML_SetBillionLaughsAttackProtectionActivationThreshold

Module xml.parsers.expat.errors and its docs also needs 6 new error code
entries to be complete:

  /* Added in 2.0. */
  38 XML_ERROR_RESERVED_PREFIX_XML
  39 XML_ERROR_RESERVED_PREFIX_XMLNS
  40 XML_ERROR_RESERVED_NAMESPACE_URI

  /* Added in 2.2.1. */
  41 XML_ERROR_INVALID_ARGUMENT

  /* Added in 2.3.0. */
  42 XML_ERROR_NO_BUFFER

  /* Added in 2.4.0. */
  43 XML_ERROR_AMPLIFICATION_LIMIT_BREACH

With regard to the table of vulnerabilities mentioned in the ticket,
please note that vulnerability "quadratic blowup" is also fixed by
>=2.4.0.  Personally, I consider it a flavor of Billion Laughs and all
know variations are covered, including that one.

--
nosy: +gvanrossum

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue44394] [security] CVE-2013-0340 "Billion Laughs" fixed in Expat >=2.4.0: Updated to vendoed copy to expat 2.4.1

2021-06-11 Thread STINNER Victor



New submission from STINNER Victor :

Our vendored copy of Modules/expat/ should be updated to Expat 2.4.1 to 
retrieve the fix for the security vulnerabily CVE-2013-0340 "Billion Laughs":
https://blog.hartwork.org/posts/cve-2013-0340-billion-laughs-fixed-in-expat-2-4-0/

The table of vulnerabilities in Python XML parsers should be updated as well:
https://docs.python.org/dev/library/xml.html#xml-vulnerabilities

My outdated notes on Modules/expat/: copy of libexpat

* ./configure --with-system-expat
* Rationale: https://mail.python.org/pipermail/python-dev/2017-June/148287.html
* Used on Windows and macOS, Linux distributions use system libexpat
* Version: search for XML_MAJOR_VERSION in Modules/expat/expat.h
* Script to update it: see attached script to https://bugs.python.org/issue30947
* Recent update: https://bugs.python.org/issue30947
* Python 2.7, 3.3-3.6 use libexpat 2.2.1

https://pythondev.readthedocs.io/files.html

--
components: Extension Modules
messages: 395634
nosy: vstinner
priority: normal
severity: normal
status: open
title: [security] CVE-2013-0340 "Billion Laughs" fixed in Expat >=2.4.0: 
Updated to vendoed copy to expat 2.4.1
type: security
versions: Python 3.10, Python 3.11, Python 3.6, Python 3.7, Python 3.8, Python 
3.9

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue44394] [security] CVE-2013-0340 "Billion Laughs" fixed in Expat >=2.4.0: Updated to vendoed copy to expat 2.4.1

[issue44394] [security] CVE-2013-0340 "Billion Laughs" fixed in Expat >=2.4.0: Updated to vendoed copy to expat 2.4.1

[issue44394] [security] CVE-2013-0340 "Billion Laughs" fixed in Expat >=2.4.0: Updated to vendoed copy to expat 2.4.1

3 matches

Site Navigation

Mail list logo

Footer information