Re: Advice on Python 3.9 and CVE-2025-69534

Thu, 19 Mar 2026 13:51:03 -0700 

Hi,

On 19/03/2026 11:12, Arnaud Rebillout wrote:
I've fixed 4 CVEs for Python 3.9 (bullseye), it's more or less ready for upload, however I'd like a second opinion on CVE-2025-69534. 


The issue was that the HTML parser throws an exception in case of 
malformed HTML-like sequences, and the new behavior (after the fix) is 
that it returns None instead (no more exception).


Reproducer:

```
#!/usr/bin/env python3
import html.parser
html.parser.HTMLParser().feed("<![\n")
```

So, again, with more details. This code throws:
- `NotImplementedError` in bullseye (Python 3.9)
- `AssertionError` in bookworm (Python 3.11)
- nothing and simply return None in latest Python


The fix was backported all the way back to 3.9 by Python itself (as part 
of a larger changeset to improve/fix the HTML parser), it's in 3.9.24.



My question: is it wise to apply this patch and change the behavior? I'm 
worried that caller relies on the parser throwing an exception, and 
starts to misbehave if it doesn't. OTOH, caller probably checks if the 
return value is None, so hopefully the change will go unnoticed?


If we fix this in bullseye, then we'll want to fix it in bookworm first.
Which also means we should tidy bookworm first:
https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/308
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126814


Anyway this is an opportunity to exchange with the maintainer (e.g. with 
a new BTS CVE entry) and/or the SRMs (with a PU request) and get a 
second opinion.



Additionally you could use https://codesearch.debian.net/ to find 
impacted code in Debian and get another angle on the issue.



Interestingly openSUSE claims to fix the issue in python-markdown only 
https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-69534


Overall this is a minor DoS issue so I believe it doesn't matter much.


Or maybe the line of thinking should be: if it was backported by Python 
itself, then no question asked, we should backport it as well.Not blindly, no, sometimes the risk to introduce a regression is too high.

See e.g. the <ignored> ones in 
https://deb.freexian.com/extended-lts/tracker/source-package/python3.7


Cheers!
Sylvain























					Reply via email to