subject:"\[issue34623\] _elementtree.c doesn't call XML

[issue34623] _elementtree.c doesn't call XML_SetHashSalt()

2019-05-10 Thread Ned Deily



Change by Ned Deily :


--
Removed message: https://bugs.python.org/msg342101

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue34623] _elementtree.c doesn't call XML_SetHashSalt()

2019-05-10 Thread Ned Deily



Ned Deily  added the comment:


New changeset d16eaf36795da48b930b80b20d3805bc27820712 by larryhastings 
(stratakis) in branch '3.4':
[3.4] bpo-34623: Use XML_SetHashSalt in _elementtree (#9953)
https://github.com/python/cpython/commit/d16eaf36795da48b930b80b20d3805bc27820712


--
nosy: +ned.deily

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue34623] _elementtree.c doesn't call XML_SetHashSalt()

2019-02-28 Thread Larry Hastings



Change by Larry Hastings :


--
resolution:  -> fixed
stage: patch review -> resolved
status: open -> closed

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue34623] _elementtree.c doesn't call XML_SetHashSalt()

2019-02-25 Thread Larry Hastings



Larry Hastings  added the comment:


New changeset 41b48e71ac8a71f56694b548f118bd20ce203410 by larryhastings 
(stratakis) in branch '3.5':
[3.5] bpo-34623: Use XML_SetHashSalt in _elementtree (#9933)
https://github.com/python/cpython/commit/41b48e71ac8a71f56694b548f118bd20ce203410


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue34623] _elementtree.c doesn't call XML_SetHashSalt()

2019-02-25 Thread Larry Hastings



Larry Hastings  added the comment:


New changeset d16eaf36795da48b930b80b20d3805bc27820712 by larryhastings 
(stratakis) in branch '3.4':
[3.4] bpo-34623: Use XML_SetHashSalt in _elementtree (#9953)
https://github.com/python/cpython/commit/d16eaf36795da48b930b80b20d3805bc27820712


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue34623] _elementtree.c doesn't call XML_SetHashSalt()

2019-01-25 Thread Matej Cepl



Matej Cepl  added the comment:

> Will this change be backported to 3.5 and 3.4? It applied cleanly on both 
> however on 3.4 there is a test failure:

It actually haven't applied cleanly to me on Python 3.4.6 (SLE-12 package). 
Apparently self->parser has to be changed into self_xp->parser. Then all tests 
passed for me.

If any Linux maintainer wants to take this patch.

--
nosy: +mcepl
Added file: 
https://bugs.python.org/file48077/CVE-2018-14647_XML_SetHashSalt-in_elementtree.patch

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue34623] _elementtree.c doesn't call XML_SetHashSalt()

2018-10-18 Thread Serhiy Storchaka



Change by Serhiy Storchaka :


--
assignee:  -> larry
nosy: +larry
priority: normal -> release blocker
versions:  -Python 2.7, Python 3.6, Python 3.7, Python 3.8

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue34623] _elementtree.c doesn't call XML_SetHashSalt()

2018-10-18 Thread Charalampos Stratakis



Change by Charalampos Stratakis :


--
pull_requests: +9301

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue34623] _elementtree.c doesn't call XML_SetHashSalt()

2018-10-17 Thread Charalampos Stratakis



Change by Charalampos Stratakis :


--
pull_requests: +9284

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue34623] _elementtree.c doesn't call XML_SetHashSalt()

2018-10-15 Thread Charalampos Stratakis



Charalampos Stratakis  added the comment:

Will this change be backported to 3.5 and 3.4? It applied cleanly on both 
however on 3.4 there is a test failure:

==
ERROR: test_del_attribute (test.test_xml_etree_c.MiscTests)
--
Traceback (most recent call last):
  File "/builddir/build/BUILD/Python-3.4.9/Lib/test/test_xml_etree_c.py", line 
26, in test_del_attribute
element = cET.Element('tag')
AttributeError: 'NoneType' object has no attribute 'Element'
--

--
nosy: +cstratak

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue34623] _elementtree.c doesn't call XML_SetHashSalt()

2018-09-21 Thread miss-islington



miss-islington  added the comment:


New changeset 5c3d8b2efda1b99abe09ad925f366c5695bd66fb by Miss Islington (bot) 
in branch '3.7':
[3.7] bpo-34623: Mention CVE-2018-14647 in news entry (GH-9482) (GH-9488)
https://github.com/python/cpython/commit/5c3d8b2efda1b99abe09ad925f366c5695bd66fb


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue34623] _elementtree.c doesn't call XML_SetHashSalt()

2018-09-21 Thread miss-islington



miss-islington  added the comment:


New changeset 10be1d3f802b874914b2a13eb41407c7a582d9b3 by Miss Islington (bot) 
in branch '2.7':
[2.7] bpo-34623: Mention CVE-2018-14647 in news entry (GH-9482) (GH-9490)
https://github.com/python/cpython/commit/10be1d3f802b874914b2a13eb41407c7a582d9b3


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue34623] _elementtree.c doesn't call XML_SetHashSalt()

2018-09-21 Thread miss-islington



miss-islington  added the comment:


New changeset d1b336e530472f316b1d164d04626724c83b16d7 by Miss Islington (bot) 
in branch '3.6':
[3.6] bpo-34623: Mention CVE-2018-14647 in news entry (GH-9482) (GH-9489)
https://github.com/python/cpython/commit/d1b336e530472f316b1d164d04626724c83b16d7


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue34623] _elementtree.c doesn't call XML_SetHashSalt()

2018-09-21 Thread miss-islington



Change by miss-islington :


--
pull_requests: +8899

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue34623] _elementtree.c doesn't call XML_SetHashSalt()

2018-09-21 Thread miss-islington



Change by miss-islington :


--
pull_requests: +8900

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue34623] _elementtree.c doesn't call XML_SetHashSalt()

2018-09-21 Thread miss-islington



miss-islington  added the comment:


New changeset 026337a7101369297c8083047d2f3c6fc9dd1e2b by Miss Islington (bot) 
(Christian Heimes) in branch 'master':
bpo-34623: Mention CVE-2018-14647 in news entry (GH-9482)
https://github.com/python/cpython/commit/026337a7101369297c8083047d2f3c6fc9dd1e2b


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue34623] _elementtree.c doesn't call XML_SetHashSalt()

2018-09-21 Thread miss-islington



Change by miss-islington :


--
pull_requests: +8898

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue34623] _elementtree.c doesn't call XML_SetHashSalt()

2018-09-21 Thread Christian Heimes



Change by Christian Heimes :


--
pull_requests: +8892

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue34623] _elementtree.c doesn't call XML_SetHashSalt()

2018-09-21 Thread Christian Heimes



Christian Heimes  added the comment:

CVE-2018-14647 was assigned to this issue.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue34623] _elementtree.c doesn't call XML_SetHashSalt()

2018-09-21 Thread Christian Heimes



Christian Heimes  added the comment:

I have contected Red Hat product security to request a CVE for the issue.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue34623] _elementtree.c doesn't call XML_SetHashSalt()

2018-09-21 Thread Christian Heimes



Christian Heimes  added the comment:

The bug affects multiple platforms. libexpat's expat.h uses slightly different 
autoconf macro names than pyconfig.h. Therefore only platforms that have either 
HAVE_GETRANDOM or _WIN32 defined, use a proper CSPRNG to seed the hash salt.

Since HAVE_SYSCALL_GETRANDOM, HAVE_ARC4RANDOM_BUF, HAVE_ARC4RANDOM, or 
XML_DEV_URANDOM are never defined by Python's pyconfig.h, older Linux 
platforms, any BSD, and any other Unix platform with /dev/urandom fall back to 
a weak Mersenne Twister-like RNG with gettimeofday().tv_usec and getpid() as 
seed.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue34623] _elementtree.c doesn't call XML_SetHashSalt()

2018-09-18 Thread miss-islington



miss-islington  added the comment:


New changeset f7666e828cc3d5873136473ea36ba2013d624fa1 by Miss Islington (bot) 
in branch '3.6':
bpo-34623: Use XML_SetHashSalt in _elementtree (GH-9146)
https://github.com/python/cpython/commit/f7666e828cc3d5873136473ea36ba2013d624fa1


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue34623] _elementtree.c doesn't call XML_SetHashSalt()

2018-09-18 Thread miss-islington



miss-islington  added the comment:


New changeset 18b20bad75b4ff0486940fba4ec680e96e70f3a2 by Miss Islington (bot) 
(Christian Heimes) in branch '2.7':
[2.7] bpo-34623: Use XML_SetHashSalt in _elementtree (GH-9146) (GH-9394)
https://github.com/python/cpython/commit/18b20bad75b4ff0486940fba4ec680e96e70f3a2


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue34623] _elementtree.c doesn't call XML_SetHashSalt()

2018-09-18 Thread miss-islington



miss-islington  added the comment:


New changeset 470a435f3b42c9be5fdb7f7b04f3df5663ba7305 by Miss Islington (bot) 
in branch '3.7':
bpo-34623: Use XML_SetHashSalt in _elementtree (GH-9146)
https://github.com/python/cpython/commit/470a435f3b42c9be5fdb7f7b04f3df5663ba7305


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue34623] _elementtree.c doesn't call XML_SetHashSalt()

2018-09-18 Thread Christian Heimes



Change by Christian Heimes :


--
pull_requests: +8818

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue34623] _elementtree.c doesn't call XML_SetHashSalt()

2018-09-18 Thread Christian Heimes



Christian Heimes  added the comment:

Since it's a security fix, the change should land in 3.4 and 3.5, too.

--
versions: +Python 2.7, Python 3.4, Python 3.5

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue34623] _elementtree.c doesn't call XML_SetHashSalt()

2018-09-18 Thread miss-islington



Change by miss-islington :


--
pull_requests: +8817

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue34623] _elementtree.c doesn't call XML_SetHashSalt()

2018-09-18 Thread miss-islington



Change by miss-islington :


--
pull_requests: +8816

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue34623] _elementtree.c doesn't call XML_SetHashSalt()

2018-09-18 Thread miss-islington



miss-islington  added the comment:


New changeset cb5778f00ce48631c7140f33ba242496aaf7102b by Miss Islington (bot) 
(Christian Heimes) in branch 'master':
bpo-34623: Use XML_SetHashSalt in _elementtree (GH-9146)
https://github.com/python/cpython/commit/cb5778f00ce48631c7140f33ba242496aaf7102b


--
nosy: +miss-islington

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue34623] _elementtree.c doesn't call XML_SetHashSalt()

2018-09-10 Thread Christian Heimes



Christian Heimes  added the comment:

Dang, it's a security bug after all. :(

3.5 has 2.2.4, so it's fine. 2.2.2 had a bug in salt initialization.

--
type: behavior -> security
versions: +Python 3.6, Python 3.7

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue34623] _elementtree.c doesn't call XML_SetHashSalt()

2018-09-10 Thread STINNER Victor



STINNER Victor  added the comment:

> Note we compile expat with -DXML_POOR_ENTROPY on the assumption that Python 
> always initializes the entropy itself.

Oh. I forgot this thing. So it seems like we have to backport this change to 
2.7, 3.6 and newer versions.

What about Python 3.4 and 3.5? Python 3.5 has a copy of libexpat 2.2.0, but 
setup.py doesn't build expat with XML_POOR_ENTROPY=1.

--
nosy: +vstinner

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue34623] _elementtree.c doesn't call XML_SetHashSalt()

2018-09-10 Thread Benjamin Peterson



Benjamin Peterson  added the comment:

Note we compile expat with -DXML_POOR_ENTROPY on the assumption that Python 
always initializes the entropy itself.

--
nosy: +benjamin.peterson

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue34623] _elementtree.c doesn't call XML_SetHashSalt()

2018-09-10 Thread Christian Heimes



Change by Christian Heimes :


--
keywords: +patch
pull_requests: +8594
stage:  -> patch review

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue34623] _elementtree.c doesn't call XML_SetHashSalt()

2018-09-10 Thread Christian Heimes



New submission from Christian Heimes :

The pyexpat module calls XML_SetHashSalt(self->itself,   
(unsigned long)_Py_HashSecret.expat.hashsalt) to initialize the salt for hash 
randomization of the XML_Parser struct. The _elementree C accelerator doesn't 
call XML_SetHashSalt().

It's not a security issue with recent versions of libexpat. The library 
initializes the salt from a good entry source by default.

--
components: XML
messages: 324954
nosy: christian.heimes
priority: normal
severity: normal
status: open
title: _elementtree.c doesn't call XML_SetHashSalt()
type: behavior
versions: Python 3.8

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue34623] _elementtree.c doesn't call XML_SetHashSalt()

[issue34623] _elementtree.c doesn't call XML_SetHashSalt()

[issue34623] _elementtree.c doesn't call XML_SetHashSalt()

[issue34623] _elementtree.c doesn't call XML_SetHashSalt()

[issue34623] _elementtree.c doesn't call XML_SetHashSalt()

[issue34623] _elementtree.c doesn't call XML_SetHashSalt()

[issue34623] _elementtree.c doesn't call XML_SetHashSalt()

[issue34623] _elementtree.c doesn't call XML_SetHashSalt()

[issue34623] _elementtree.c doesn't call XML_SetHashSalt()

[issue34623] _elementtree.c doesn't call XML_SetHashSalt()

[issue34623] _elementtree.c doesn't call XML_SetHashSalt()

[issue34623] _elementtree.c doesn't call XML_SetHashSalt()

[issue34623] _elementtree.c doesn't call XML_SetHashSalt()

[issue34623] _elementtree.c doesn't call XML_SetHashSalt()

[issue34623] _elementtree.c doesn't call XML_SetHashSalt()

[issue34623] _elementtree.c doesn't call XML_SetHashSalt()

[issue34623] _elementtree.c doesn't call XML_SetHashSalt()

[issue34623] _elementtree.c doesn't call XML_SetHashSalt()

[issue34623] _elementtree.c doesn't call XML_SetHashSalt()

[issue34623] _elementtree.c doesn't call XML_SetHashSalt()

[issue34623] _elementtree.c doesn't call XML_SetHashSalt()

[issue34623] _elementtree.c doesn't call XML_SetHashSalt()

[issue34623] _elementtree.c doesn't call XML_SetHashSalt()

[issue34623] _elementtree.c doesn't call XML_SetHashSalt()

[issue34623] _elementtree.c doesn't call XML_SetHashSalt()

[issue34623] _elementtree.c doesn't call XML_SetHashSalt()

[issue34623] _elementtree.c doesn't call XML_SetHashSalt()

[issue34623] _elementtree.c doesn't call XML_SetHashSalt()

[issue34623] _elementtree.c doesn't call XML_SetHashSalt()

[issue34623] _elementtree.c doesn't call XML_SetHashSalt()

[issue34623] _elementtree.c doesn't call XML_SetHashSalt()

[issue34623] _elementtree.c doesn't call XML_SetHashSalt()

[issue34623] _elementtree.c doesn't call XML_SetHashSalt()

[issue34623] _elementtree.c doesn't call XML_SetHashSalt()

34 matches

Site Navigation

Mail list logo

Footer information