.. _elementree-hash-salt: _elementree C accelerator doesn't call XML_SetHashSalt() ======================================================== .. warning:: This resource is maintained for historical reference and **does not contain the latest vulnerability info for Python**. The `canonical database for vulnerabilities affecting Python `_ is available on GitHub in the Open Source Vulnerability (OSV) format. This vulnerability can be viewed online at the `Open Source Vulnerability Database `_. The pyexpat module calls ``XML_SetHashSalt()`` to initialize the salt for hash randomization of the XML_Parser struct. The ``_elementree`` C accelerator doesn't call ``XML_SetHashSalt()``. Dates: * Disclosure date: **2018-09-10** (Python issue bpo-34623 reported) Fixed In -------- * Python **2.7.16** (2019-03-02) fixed by `commit 18b20ba (branch 2.7) `_ (2018-09-18) * Python **3.4.10** (2019-03-18) fixed by `commit d16eaf3 (branch 3.5) `_ (2019-02-25) * Python **3.5.7** (2019-03-18) fixed by `commit 41b48e7 (branch 3.4) `_ (2019-02-25) * Python **3.6.7** (2018-10-20) fixed by `commit f7666e8 (branch 3.6) `_ (2018-09-18) * Python **3.7.1** (2018-10-20) fixed by `commit 470a435 (branch 3.7) `_ (2018-09-18) * Python **3.8.0** (2019-10-14) fixed by `commit cb5778f (branch 3.8) `_ (2018-09-18) Python issue ------------ _elementtree.c doesn't call XML_SetHashSalt(). * Python issue: `bpo-34623 `_ * Creation date: 2018-09-10 * Reporter: Christian Heimes CVE-2018-14647 -------------- Python's elementtree C accelerator failed to initialise Expat's hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by constructing an XML document that would cause pathological hash collisions in Expat's internal data structures, consuming large amounts CPU and RAM. The vulnerability exists in Python versions 3.7.0, 3.6.0 through 3.6.6, 3.5.0 through 3.5.6, 3.4.0 through 3.4.9, 2.7.0 through 2.7.15. * CVE ID: `CVE-2018-14647 `_ * Published: 2018-09-25 * `CVSS Score `_: 5.0 Timeline -------- Timeline using the disclosure date **2018-09-10** as reference: * 2018-09-10: `Python issue bpo-34623 `_ reported by Christian Heimes * 2018-09-18 (**+8 days**): `commit 18b20ba (branch 2.7) `_ * 2018-09-18 (**+8 days**): `commit 470a435 (branch 3.7) `_ * 2018-09-18 (**+8 days**): `commit cb5778f (branch 3.8) `_ * 2018-09-18 (**+8 days**): `commit f7666e8 (branch 3.6) `_ * 2018-09-25 (**+15 days**): CVE-2018-14647 published * 2018-10-20 (**+40 days**): Python 3.6.7 released * 2018-10-20 (**+40 days**): Python 3.7.1 released * 2019-02-25 (**+168 days**): `commit 41b48e7 (branch 3.4) `_ * 2019-02-25 (**+168 days**): `commit d16eaf3 (branch 3.5) `_ * 2019-03-02 (**+173 days**): Python 2.7.16 released * 2019-03-18 (**+189 days**): Python 3.4.10 released * 2019-03-18 (**+189 days**): Python 3.5.7 released * 2019-10-14: Python 3.8.0 released Links ----- * https://bugzilla.redhat.com/show_bug.cgi?id=1632095