[3.8] python3: Multiple vulnerabilities (CVE-2018-14647, CVE-2018-20406, CVE-2019-9636)
CVE-2018-14647: Missing salt initialization in _elementtree.c module
A flaw was found in python’s _elementtree.c module, a wrapper for
libexpat XML parser. xml.etree C accelerator don’t call
XML_SetHashSalt(), failing to properly initiate
the random hash seed from a good CSPRNG source and making hash collision
attacks with carefully crafted XML data easier.
Fixed In Version:
python 3.7.1, python 3.6.7, python 2.7.16
References:
https://bugs.python.org/issue34623
CVE-2018-20406: Integer overflow in Modules/_pickle.c allows for memory exhaustion if serializing gigabytes of data
Modules/_pickle.c in Python before 3.7.1 has an integer overflow via a
large LONG_BINPUT value that is mishandled during a “resize to twice
the size” attempt.
This issue might cause memory exhaustion, but is only relevant if the
pickle format is used for serializing tens or hundreds of gigabytes of
data.
References:
https://bugs.python.org/issue34656
Patch:
https://github.com/python/cpython/commit/71a9c65e74a70b6ed39adc4ba81d311ac1aa2acc
CVE-2019-9636: Information Disclosure due to urlsplit improper NFKC normalization
Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by:
Improper Handling of Unicode Encoding (with an incorrect netloc) during
NFKC normalization.
The impact is: Information disclosure (credentials, cookies, etc. that
are cached against a given hostname). The components are:
urllib.parse.urlsplit, urllib.parse.urlparse.
The attack vector is: A specially crafted URL could be incorrectly
parsed to locate cookies or authentication data and send that
information to a different host than when parsed correctly.
References:
https://github.com/python/cpython/pull/12201
https://nvd.nist.gov/vuln/detail/CVE-2019-9636
Patch:
https://github.com/python/cpython/commit/23fc0416454c4ad5b9b23d520fbe6d89be3efc24
(from redmine: issue id 10298, created on 2019-04-18, closed on 2019-04-23)
- Relations:
- parent #10297 (closed)
- Changesets:
- Revision 66574119 by Natanael Copa on 2019-04-22T10:13:48Z:
main/python3: security upgrade to 3.6.8
- CVE-2018-14647
- CVE-2018-20406
- CVE-2019-9636
fixes #10298