https://github.com/python/cpython/commit/fbd40ce46e7335a5dbaf48a3aa841be22d7302ba
commit: fbd40ce46e7335a5dbaf48a3aa841be22d7302ba
branch: main
author: Sebastian Pipping <[email protected]>
committer: ambv <[email protected]>
date: 2024-02-21T12:26:16+01:00
summary:
gh-115399: Document CVE-2023-52425 under "XML vulnerabilities" (GH-115400)
Doc/library/xml.rst: Document CVE-2023-52425 under "XML vulnerabilities"
files:
A Misc/NEWS.d/next/Documentation/2024-02-14-20-17-04.gh-issue-115399.fb9a0R.rst
M Doc/library/xml.rst
diff --git a/Doc/library/xml.rst b/Doc/library/xml.rst
index 909022ea4ba6a4..662cc459197e2c 100644
--- a/Doc/library/xml.rst
+++ b/Doc/library/xml.rst
@@ -68,6 +68,7 @@ quadratic blowup **Vulnerable** (1) **Vulnerable**
(1) **Vulnerable*
external entity expansion Safe (5) Safe (2) Safe (3)
Safe (5) Safe (4)
`DTD`_ retrieval Safe (5) Safe Safe
Safe (5) Safe
decompression bomb Safe Safe Safe
Safe **Vulnerable**
+large tokens **Vulnerable** (6) **Vulnerable** (6)
**Vulnerable** (6) **Vulnerable** (6) **Vulnerable** (6)
========================= ================== ==================
================== ================== ==================
1. Expat 2.4.1 and newer is not vulnerable to the "billion laughs" and
@@ -81,6 +82,11 @@ decompression bomb Safe Safe
Safe
4. :mod:`xmlrpc.client` doesn't expand external entities and omits them.
5. Since Python 3.7.1, external general entities are no longer processed by
default.
+6. Expat 2.6.0 and newer is not vulnerable to denial of service
+ through quadratic runtime caused by parsing large tokens.
+ Items still listed as vulnerable due to
+ potential reliance on system-provided libraries. Check
+ :const:`!pyexpat.EXPAT_VERSION`.
billion laughs / exponential entity expansion
@@ -114,6 +120,13 @@ decompression bomb
files. For an attacker it can reduce the amount of transmitted data by three
magnitudes or more.
+large tokens
+ Expat needs to re-parse unfinished tokens; without the protection
+ introduced in Expat 2.6.0, this can lead to quadratic runtime that can
+ be used to cause denial of service in the application parsing XML.
+ The issue is known as
+ `CVE-2023-52425
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-52425>`_.
+
The documentation for `defusedxml`_ on PyPI has further information about
all known attack vectors with examples and references.
diff --git
a/Misc/NEWS.d/next/Documentation/2024-02-14-20-17-04.gh-issue-115399.fb9a0R.rst
b/Misc/NEWS.d/next/Documentation/2024-02-14-20-17-04.gh-issue-115399.fb9a0R.rst
new file mode 100644
index 00000000000000..587aea802168bd
--- /dev/null
+++
b/Misc/NEWS.d/next/Documentation/2024-02-14-20-17-04.gh-issue-115399.fb9a0R.rst
@@ -0,0 +1 @@
+Document CVE-2023-52425 of Expat <2.6.0 under "XML vulnerabilities".
_______________________________________________
Python-checkins mailing list -- [email protected]
To unsubscribe send an email to [email protected]
https://mail.python.org/mailman3/lists/python-checkins.python.org/
Member address: [email protected]
