#55 Security fix for CVE-2018-14647 (#1631822)
Closed 11 months ago by churchyard. Opened a year ago by churchyard.
rpms/ churchyard/python3 310  into  master

@@ -0,0 +1,84 @@ 

+ From 5f610ec2043aa6b52cb6a6b5e436df091a4f2d91 Mon Sep 17 00:00:00 2001

+ From: Christian Heimes <christian@python.org>

+ Date: Tue, 18 Sep 2018 14:38:58 +0200

+ Subject: [PATCH] bpo-34623: Use XML_SetHashSalt in _elementtree (GH-9146)

+ 

+ The C accelerated _elementtree module now initializes hash randomization

+ salt from _Py_HashSecret instead of libexpat's default CPRNG.

+ 

+ Signed-off-by: Christian Heimes <christian@python.org>

+ 

+ https://bugs.python.org/issue34623

+ (cherry picked from commit cb5778f00ce48631c7140f33ba242496aaf7102b)

+ 

+ Co-authored-by: Christian Heimes <christian@python.org>

+ ---

+  Include/pyexpat.h                                            | 4 +++-

+  .../next/Security/2018-09-10-16-05-39.bpo-34623.Ua9jMv.rst   | 2 ++

+  Modules/_elementtree.c                                       | 5 +++++

+  Modules/pyexpat.c                                            | 5 +++++

+  4 files changed, 15 insertions(+), 1 deletion(-)

+  create mode 100644 Misc/NEWS.d/next/Security/2018-09-10-16-05-39.bpo-34623.Ua9jMv.rst

+ 

+ diff --git a/Include/pyexpat.h b/Include/pyexpat.h

+ index 44259bf6d716..07020b5dc964 100644

+ --- a/Include/pyexpat.h

+ +++ b/Include/pyexpat.h

+ @@ -3,7 +3,7 @@

+  

+  /* note: you must import expat.h before importing this module! */

+  

+ -#define PyExpat_CAPI_MAGIC  "pyexpat.expat_CAPI 1.0"

+ +#define PyExpat_CAPI_MAGIC  "pyexpat.expat_CAPI 1.1"

+  #define PyExpat_CAPSULE_NAME "pyexpat.expat_CAPI"

+  

+  struct PyExpat_CAPI

+ @@ -48,6 +48,8 @@ struct PyExpat_CAPI

+      enum XML_Status (*SetEncoding)(XML_Parser parser, const XML_Char *encoding);

+      int (*DefaultUnknownEncodingHandler)(

+          void *encodingHandlerData, const XML_Char *name, XML_Encoding *info);

+ +    /* might be none for expat < 2.1.0 */

+ +    int (*SetHashSalt)(XML_Parser parser, unsigned long hash_salt);

+      /* always add new stuff to the end! */

+  };

+  

+ diff --git a/Misc/NEWS.d/next/Security/2018-09-10-16-05-39.bpo-34623.Ua9jMv.rst b/Misc/NEWS.d/next/Security/2018-09-10-16-05-39.bpo-34623.Ua9jMv.rst

+ new file mode 100644

+ index 000000000000..31ad92ef8582

+ --- /dev/null

+ +++ b/Misc/NEWS.d/next/Security/2018-09-10-16-05-39.bpo-34623.Ua9jMv.rst

+ @@ -0,0 +1,2 @@

+ +The C accelerated _elementtree module now initializes hash randomization

+ +salt from _Py_HashSecret instead of libexpat's default CSPRNG.

+ diff --git a/Modules/_elementtree.c b/Modules/_elementtree.c

+ index 1dfdb3ce34f3..4b86f96a70d3 100644

+ --- a/Modules/_elementtree.c

+ +++ b/Modules/_elementtree.c

+ @@ -3305,6 +3305,11 @@ _elementtree_XMLParser___init___impl(XMLParserObject *self, PyObject *html,

+          PyErr_NoMemory();

+          return -1;

+      }

+ +    /* expat < 2.1.0 has no XML_SetHashSalt() */

+ +    if (EXPAT(SetHashSalt) != NULL) {

+ +        EXPAT(SetHashSalt)(self->parser,

+ +                           (unsigned long)_Py_HashSecret.expat.hashsalt);

+ +    }

+  

+      if (target) {

+          Py_INCREF(target);

+ diff --git a/Modules/pyexpat.c b/Modules/pyexpat.c

+ index c8a01d4e088e..c52079e518f2 100644

+ --- a/Modules/pyexpat.c

+ +++ b/Modules/pyexpat.c

+ @@ -1877,6 +1877,11 @@ MODULE_INITFUNC(void)

+      capi.SetStartDoctypeDeclHandler = XML_SetStartDoctypeDeclHandler;

+      capi.SetEncoding = XML_SetEncoding;

+      capi.DefaultUnknownEncodingHandler = PyUnknownEncodingHandler;

+ +#if XML_COMBINED_VERSION >= 20100

+ +    capi.SetHashSalt = XML_SetHashSalt;

+ +#else

+ +    capi.SetHashSalt = NULL;

+ +#endif

+  

+      /* export using capsule */

+      capi_object = PyCapsule_New(&capi, PyExpat_CAPSULE_NAME, NULL);

file modified
+12 -1

@@ -14,7 +14,7 @@ 

  #  WARNING  When rebasing to a new Python version,

  #           remember to update the python3-docs package as well

  Version: %{pybasever}.0

- Release: 9%{?dist}

+ Release: 10%{?dist}

  License: Python

  

  

@@ -320,6 +320,13 @@ 

  # See: https://bugzilla.redhat.com/show_bug.cgi?id=1609291

  Patch308: 00308-tls-1.3.patch

  

+ # 00310 #

+ # CVE-2018-14647

+ # Use XML_SetHashSalt in _elementtree

+ # rhbz#1631822

+ # Fixed upstream https://bugs.python.org/issue34623

+ Patch310: 00310-use-xml-sethashsalt-in-elementtree.patch

+ 

  # (New patches go here ^^^)

  #

  # When adding new patches to "python" and "python3" in Fedora, EL, etc.,

@@ -652,6 +659,7 @@ 

  %patch291 -p1

  %patch307 -p1

  %patch308 -p1

+ %patch310 -p1

  

  

  # Remove files that should be generated by the build

@@ -1553,6 +1561,9 @@ 

  # ======================================================

  

  %changelog

+ * Mon Sep 24 2018 Miro Hrončok <mhroncok@redhat.com> - 3.7.0-10

+ - Security fix for CVE-2018-14647 (#1631822)

+ 

  * Thu Aug 30 2018 Miro Hrončok <mhroncok@redhat.com> - 3.7.0-9

  - Require python3-setuptools from python3-devel to prevent packaging errors (#1623914)

  

no initial comment

1 test failed:
test_gdb

@cstratak Proposal: skip the test_gdb test for now so we can ship a security fix, deal with that later.

We could do that, however those fixes will be included with the 3.7.1 release which will out in a few days (2018-10-04). Wouldn't it better to wait 1 week to get everything there?

Pull-Request has been closed by churchyard

11 months ago