Skip to content

/ cpython

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[3.4] bpo-34623: Use XML_SetHashSalt in _elementtree #9953

Merged
merged 2 commits into from Feb 25, 2019
Merged

[3.4] bpo-34623: Use XML_SetHashSalt in _elementtree #9953

merged 2 commits into from Feb 25, 2019

Conversation

@stratakis
Copy link
Contributor

@stratakis stratakis commented Oct 18, 2018
edited by bedevere-bot

Backport for the 3.4 branch.

https://bugs.python.org/issue34623
miss-islington and others added 2 commits Sep 18, 2018
@miss-islington @tiran @stratakis
bpo-34623: Use XML_SetHashSalt in _elementtree (GH-9146)
d24304f 
The C accelerated _elementtree module now initializes hash randomization
salt from _Py_HashSecret instead of libexpat's default CPRNG.

Signed-off-by: Christian Heimes <christian@python.org>

https://bugs.python.org/issue34623
(cherry picked from commit cb5778f)

Co-authored-by: Christian Heimes <christian@python.org>
@miss-islington @stratakis
[3.4] bpo-34623: Mention CVE-2018-14647 in news entry (GH-9482) (GH-9489
Loading status checks…
a535553 
)

https://bugs.python.org/issue34623
(cherry picked from commit 026337a)

Co-authored-by: Christian Heimes <christian@python.org>

https://bugs.python.org/issue34623
@stratakis
stratakis reviewed Oct 18, 2018
View changes
Modules/_elementtree.c
@@ -3259,6 +3259,11 @@ xmlparser_init(PyObject *self, PyObject *args, PyObject *kwds)
PyErr_NoMemory();
return -1;
}
/* expat < 2.1.0 has no XML_SetHashSalt() */
if (EXPAT(SetHashSalt) != NULL) {
EXPAT(SetHashSalt)(self_xp->parser,

This comment has been minimized.

Sign in to view
@stratakis

stratakis Oct 18, 2018
Author Contributor

This is the only line that has been modified from the previous PR's. Namely it's self_xp->parser on 3.4. On the other branches it's self->parser due to argumentclinication.
@vstinner
vstinner approved these changes Oct 18, 2018
View changes
Copy link
Member

@vstinner vstinner left a comment

LGTM.

@tiran: Would you mind to review it as well?
@serhiy-storchaka serhiy-storchaka requested a review from tiran Oct 18, 2018
@vstinner
Copy link
Member

@vstinner vstinner commented Oct 24, 2018

Oh, Travis CI failed on a random failure:

======================================================================
ERROR: test_ignore (test.test_multiprocessing_forkserver.TestIgnoreEINTR)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/home/travis/build/python/cpython/Lib/test/_test_multiprocessing.py", line 3623, in test_ignore
    os.kill(p.pid, signal.SIGUSR1)
ProcessLookupError: [Errno 3] No such process

I scheduled a new job.
@vstinner vstinner closed this Jan 21, 2019
@vstinner vstinner reopened this Jan 21, 2019
@vstinner
Copy link
Member

@vstinner vstinner commented Jan 21, 2019

I closed/reopened the PR to trigger a new Travis CI job.
@vstinner
Copy link
Member

@vstinner vstinner commented Jan 23, 2019

@larryhastings: Hi Larry, would you mind to merge this security fix?
@larryhastings larryhastings merged commit d16eaf3 into python:3.4 Feb 25, 2019
4 checks passed
4 checks passed
bedevere/issue-number Issue number 34623 found
Details
bedevere/maintenance-branch-pr Valid maintenance branch PR title.
bedevere/news News entry found in Misc/NEWS.d
continuous-integration/travis-ci/pr The Travis CI build passed
Details
@bedevere-bot
Copy link

@bedevere-bot bedevere-bot commented Feb 25, 2019

@larryhastings: Please replace # with GH- in the commit message next time. Thanks!
@bedevere-bot bedevere-bot removed the awaiting merge label Feb 25, 2019
@larryhastings
Copy link
Contributor

@larryhastings larryhastings commented Feb 25, 2019

Thank for the backported fix!
@stratakis stratakis deleted the stratakis:3.4 branch Jun 18, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vstinner vstinner

@tiran tiran

Assignees

@larryhastings larryhastings

Labels
CLA signed type-security
Projects
None yet
Milestone
No milestone
Linked issues

Successfully merging this pull request may close these issues.

None yet

7 participants
@stratakis @vstinner @bedevere-bot @larryhastings @serhiy-storchaka @the-knights-who-say-ni @miss-islington