8000 bpo-30694: Upgrade Modules/expat/ to libexpat 2.2.1 (#2300) (#2314) · python/cpython@91d171b · GitHub
[go: up one dir, main page]

Skip to content

Commit 91d171b

Browse files
authored
bpo-30694: Upgrade Modules/expat/ to libexpat 2.2.1 (#2300) (#2314)
New file: Modules/expat/siphash.h. (cherry picked from commit 5ff7132)
1 parent 29c89d0 commit 91d171b

File tree

9 files changed

+887
-158
lines changed

9 files changed

+887
-158
lines changed

Misc/NEWS

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -59,6 +59,15 @@ Extension Modules
5959
Library
6060
-------
6161

62+
- [Security] bpo-30694: Upgrade expat copy from 2.2.0 to 2.2.1 to get fixes
63+
of multiple security vulnerabilities including: CVE-2017-9233 (External
64+
entity infinite loop DoS), CVE-2016-9063 (Integer overflow, re-fix),
65+
CVE-2016-0718 (Fix regression bugs from 2.2.0's fix to CVE-2016-0718)
66+
and CVE-2012-0876 (Counter hash flooding with SipHash).
67+
Note: the CVE-2016-5300 (Use os-specific entropy sources like getrandom)
68+
doesn't impact Python, since Python already gets entropy from the OS to set
69+
the expat secret using ``XML_SetHashSalt()``.
70+
6271
- bpo-29755: Fixed the lgettext() family of functions in the gettext module.
6372
They now always return bytes.
6473

Modules/expat/COPYING

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
Copyright (c) 1998-2000 Thai Open Source Software Center Ltd and Clark Cooper
2-
Copyright (c) 2001-2016 Expat maintainers
2+
Copyright (c) 2001-2017 Expat maintainers
33

44
Permission is hereby granted, free of charge, to any person obtaining
55
a copy of this software and associated documentation files (the

Modules/expat/expat.h

Lines changed: 16 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -95,7 +95,9 @@ enum XML_Error {
9595
/* Added in 2.0. */
9696
XML_ERROR_RESERVED_PREFIX_XML,
9797
XML_ERROR_RESERVED_PREFIX_XMLNS,
98-
XML_ERROR_RESERVED_NAMESPACE_URI
98+
XML_ERROR_RESERVED_NAMESPACE_URI,
99+
/* Added in 2.2.1. */
100+
XML_ERROR_INVALID_ARGUMENT
99101
};
100102

101103
enum XML_Content_Type {
@@ -706,6 +708,7 @@ XML_UseParserAsHandlerArg(XML_Parser parser);
706708
be called, despite an external subset being parsed.
707709
Note: If XML_DTD is not defined when Expat is compiled, returns
708710
XML_ERROR_FEATURE_REQUIRES_XML_DTD.
711+
Note: If parser == NULL, returns XML_ERROR_INVALID_ARGUMENT.
709712
*/
710713
XMLPARSEAPI(enum XML_Error)
711714
XML_UseForeignDTD(XML_Parser parser, XML_Bool useDTD);
@@ -729,15 +732,16 @@ XML_GetBase(XML_Parser parser);
729732
to the XML_StartElementHandler that were specified in the start-tag
730733
rather than defaulted. Each attribute/value pair counts as 2; thus
731734
this correspondds to an index into the atts array passed to the
732-
XML_StartElementHandler.
735+
XML_StartElementHandler. Returns -1 if parser == NULL.
733736
*/
734737
XMLPARSEAPI(int)
735738
XML_GetSpecifiedAttributeCount(XML_Parser parser);
736739

737740
/* Returns the index of the ID attribute passed in the last call to
738-
XML_StartElementHandler, or -1 if there is no ID attribute. Each
739-
attribute/value pair counts as 2; thus this correspondds to an
740-
index into the atts array passed to the XML_StartElementHandler.
741+
XML_StartElementHandler, or -1 if there is no ID attribute or
742+
parser == NULL. Each attribute/value pair counts as 2; thus this
743+
correspondds to an index into the atts array passed to the
744+
XML_StartElementHandler.
741745
*/
742746
XMLPARSEAPI(int)
743747
XML_GetIdAttributeIndex(XML_Parser parser);
@@ -901,6 +905,7 @@ enum XML_ParamEntityParsing {
901905
entities is requested; otherwise it will return non-zero.
902906
Note: If XML_SetParamEntityParsing is called after XML_Parse or
903907
XML_ParseBuffer, then it has no effect and will always return 0.
908+
Note: If parser == NULL, the function will do nothing and return 0.
904909
*/
905910
XMLPARSEAPI(int)
906911
XML_SetParamEntityParsing(XML_Parser parser,
@@ -910,6 +915,7 @@ XML_SetParamEntityParsing(XML_Parser parser,
910915
Helps in preventing DoS attacks based on predicting hash
911916
function behavior. This must be called before parsing is started.
912917
Returns 1 if successful, 0 when called after parsing has started.
918+
Note: If parser == NULL, the function will do nothing and return 0.
913919
*/
914920
XMLPARSEAPI(int)
915921
XML_SetHashSalt(XML_Parser parser,
@@ -936,6 +942,10 @@ XML_GetErrorCode(XML_Parser parser);
936942
the location is the location of the character at which the error
937943
was detected; otherwise the location is the location of the last
938944
parse event, as described above.
945+
946+
Note: XML_GetCurrentLineNumber and XML_GetCurrentColumnNumber
947+
return 0 to indicate an error.
948+
Note: XML_GetCurrentByteIndex returns -1 to indicate an error.
939949
*/
940950
XMLPARSEAPI(XML_Size) XML_GetCurrentLineNumber(XML_Parser parser);
941951
XMLPARSEAPI(XML_Size) XML_GetCurrentColumnNumber(XML_Parser parser);
@@ -1039,7 +1049,7 @@ XML_GetFeatureList(void);
10391049
*/
10401050
#define XML_MAJOR_VERSION 2
10411051
#define XML_MINOR_VERSION 2
1042-
#define XML_MICRO_VERSION 0
1052+
#define XML_MICRO_VERSION 1
10431053

10441054
#ifdef __cplusplus
10451055
}

Modules/expat/expat_external.h

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -97,7 +97,10 @@ extern "C" {
9797
#endif
9898

9999
#ifdef XML_UNICODE_WCHAR_T
100-
#define XML_UNICODE
100+
# define XML_UNICODE
101+
# if defined(__SIZEOF_WCHAR_T__) && (__SIZEOF_WCHAR_T__ != 2)
102+
# error "sizeof(wchar_t) != 2; Need -fshort-wchar for both Expat and libc"
103+
# endif
101104
#endif
102105

103106
#ifdef XML_UNICODE /* Information is UTF-16 encoded. */

0 commit comments

Comments
 (0)
0