_elementree C accelerator doesn’t call XML_SetHashSalt()

Warning

This resource is maintained for historical reference and does not contain the latest vulnerability info for Python.

The canonical database for vulnerabilities affecting Python is available on GitHub in the Open Source Vulnerability (OSV) format. This vulnerability can be viewed online at the Open Source Vulnerability Database.

The pyexpat module calls XML_SetHashSalt() to initialize the salt for hash randomization of the XML_Parser struct.

The _elementree C accelerator doesn’t call XML_SetHashSalt().

Dates:

• Disclosure date: 2018-09-10 (Python issue bpo-34623 reported)

Fixed In

• Python 2.7.16 (2019-03-02) fixed by commit 18b20ba (branch 2.7) (2018-09-18)
• Python 3.4.10 (2019-03-18) fixed by commit d16eaf3 (branch 3.5) (2019-02-25)
• Python 3.5.7 (2019-03-18) fixed by commit 41b48e7 (branch 3.4) (2019-02-25)
• Python 3.6.7 (2018-10-20) fixed by commit f7666e8 (branch 3.6) (2018-09-18)
• Python 3.7.1 (2018-10-20) fixed by commit 470a435 (branch 3.7) (2018-09-18)
• Python 3.8.0 (2019-10-14) fixed by commit cb5778f (branch 3.8) (2018-09-18)

Python issue

_elementtree.c doesn’t call XML_SetHashSalt().

• Python issue: bpo-34623
• Creation date: 2018-09-10
• Reporter: Christian Heimes

CVE-2018-14647

Python’s elementtree C accelerator failed to initialise Expat’s hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by constructing an XML document that would cause pathological hash collisions in Expat’s internal data structures, consuming large amounts CPU and RAM. The vulnerability exists in Python versions 3.7.0, 3.6.0 through 3.6.6, 3.5.0 through 3.5.6, 3.4.0 through 3.4.9, 2.7.0 through 2.7.15.

• CVE ID: CVE-2018-14647
• Published: 2018-09-25
• CVSS Score: 5.0

Timeline

Timeline using the disclosure date 2018-09-10 as reference:

• 2018-09-10: Python issue bpo-34623 reported by Christian Heimes
• 2018-09-18 (+8 days): commit 18b20ba (branch 2.7)
• 2018-09-18 (+8 days): commit 470a435 (branch 3.7)
• 2018-09-18 (+8 days): commit cb5778f (branch 3.8)
• 2018-09-18 (+8 days): commit f7666e8 (branch 3.6)
• 2018-09-25 (+15 days): CVE-2018-14647 published
• 2018-10-20 (+40 days): Python 3.6.7 released
• 2018-10-20 (+40 days): Python 3.7.1 released
• 2019-02-25 (+168 days): commit 41b48e7 (branch 3.4)
• 2019-02-25 (+168 days): commit d16eaf3 (branch 3.5)
• 2019-03-02 (+173 days): Python 2.7.16 released
• 2019-03-18 (+189 days): Python 3.4.10 released
• 2019-03-18 (+189 days): Python 3.5.7 released
• 2019-10-14: Python 3.8.0 released

Links

• https://bugzilla.redhat.com/show_bug.cgi?id=1632095