Skip to content

[3.10] gh-115398: Expose Expat >=2.6.0 reparse deferral API (CVE-2023-52425) (GH-115623) #116270

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Mar 6, 2024
Merged

[3.10] gh-115398: Expose Expat >=2.6.0 reparse deferral API (CVE-2023-52425) (GH-115623) #116270

merged 3 commits into from
Mar 6, 2024

Conversation

hartwork
Copy link
Contributor

@hartwork hartwork commented Mar 3, 2024
edited by bedevere-app bot
Loading

Allow controlling Expat >=2.6.0 reparse deferral (CVE-2023-52425) by adding five new methods:

  • xml.etree.ElementTree.XMLParser.flush
  • xml.etree.ElementTree.XMLPullParser.flush
  • xml.parsers.expat.xmlparser.GetReparseDeferralEnabled
  • xml.parsers.expat.xmlparser.SetReparseDeferralEnabled
  • xml.sax.expatreader.ExpatParser.flush

Based on the "flush" idea from #115138 (comment) .

Includes code suggested-by: Snild Dolkow [email protected]
and by core dev Serhiy Storchaka.

(cherry picked from commit 6a95676)

@hartwork
pythongh-115398: Expose Expat >=2.6.0 reparse deferral API (CVE-2023-…
0444649 
…52425) (pythonGH-115623)

Allow controlling Expat >=2.6.0 reparse deferral (CVE-2023-52425) by adding five new methods:

- `xml.etree.ElementTree.XMLParser.flush`
- `xml.etree.ElementTree.XMLPullParser.flush`
- `xml.parsers.expat.xmlparser.GetReparseDeferralEnabled`
- `xml.parsers.expat.xmlparser.SetReparseDeferralEnabled`
- `xml.sax.expatreader.ExpatParser.flush`

Based on the "flush" idea from python#115138 (comment) .

- Please treat as a security fix related to CVE-2023-52425.

Includes code suggested-by: Snild Dolkow <[email protected]>
and by core dev Serhiy Storchaka.

(cherry picked from commit 6a95676)
@bedevere-app bedevere-app bot mentioned this pull request Mar 3, 2024
Merged
@bedevere-app bedevere-app bot added type-feature A feature request or enhancement type-security A security issue labels Mar 3, 2024
@bedevere-app bedevere-app bot mentioned this pull request Mar 3, 2024
Closed
hartwork and others added 2 commits March 6, 2024 22:21
@hartwork
pythongh-115398: Suggest use of hasattr with checking for 3.13 Expa…
08d0d6d 
…t API availability (pythonGH-116278)

Suggest use of "hasattr" with checking for 3.13 Expat API availability

(cherry picked from commit 73807eb)
@gpshead @hartwork
RESTify news API list.
c4c8137 
(cherry picked from commit eda2963)
@gpshead
Copy link
Member

gpshead commented Mar 6, 2024

3.12 and 3.11 branch backports have been merged.

@ambv ambv merged commit 516a6d4 into python:3.10 Mar 6, 2024
@hugovk hugovk mentioned this pull request Mar 23, 2024
Closed
algitbot pushed a commit to alpinelinux/aports that referenced this pull request Mar 23, 2024
@ncopa
main/python3: add stricter dependency on libexpat>=2.6.0
a4aac99 
Since 3.10.14, Pyhon uses the "reparse deferral API" in expat >= 2.6.0:

   python/cpython#116270
algitbot pushed a commit to alpinelinux/aports that referenced this pull request Mar 24, 2024
main/python3: add stricter dependency on libexpat>=2.6.0
8855333 
Since 3.10.14, Pyhon uses the "reparse deferral API" in expat >= 2.6.0:

   python/cpython#116270
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@pablogsal pablogsal

Labels
type-feature A feature request or enhancement type-security A security issue
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@hartwork @gpshead @ambv @pablogsal