CVE-2018-14647: _elementree C accelerator doesn’t call XML_SetHashSalt()

The pyexpat module calls XML_SetHashSalt() to initialize the salt for hash randomization of the XML_Parser struct.

The _elementree C accelerator doesn’t call XML_SetHashSalt().

  • Disclosure date: 2018-09-10 (Python issue bpo-34623 reported)

Fixed In

Vulnerable Versions

  • Python 3.4
  • Python 3.5

Python issue

_elementtree.c doesn’t call XML_SetHashSalt().

  • Python issue: bpo-34623
  • Creation date: 2018-09-10
  • Reporter: Christian Heimes

CVE-2018-14647

Python’s elementtree C accelerator failed to initialise Expat’s hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by constructing an XML document that would cause pathological hash collisions in Expat’s internal data structures, consuming large amounts CPU and RAM. Python 3.8, 3.7, 3.6, 3.5, 3.4, 2.7 are believed to be vulnerable.

Timeline

Timeline using the disclosure date 2018-09-10 as reference: