Bug 1631822 (CVE-2018-14647)

Summary: CVE-2018-14647 python: Missing salt initialization in _elementtree.c module
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abhgupta, adev88, cstratak, dbaker, dmalcolm, hhorak, jeffrey.ness, jokerman, jorton, kevin, mcyprian, mhroncok, pviktori, python-maint, rkuska, security-response-team, shcherbina.iryna, slawomir, sthangav, TicoTimo, tomspur, torsava, trankin
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: python 3.7.1, python 3.6.7, python 2.7.16 Doc Type: If docs needed, set a value
Doc Text:
Python's elementtree C accelerator failed to initialise Expat's hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by contructing an XML document that would cause pathological hash collisions in Expat's internal data structures, consuming large amounts CPU and RAM.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:38:28 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1632084, 1632085, 1632086, 1632087, 1632088, 1632089, 1632090, 1632091, 1632092, 1632093, 1632094, 1632095, 1632096, 1632531, 1636838, 1636839, 1636840, 1636841, 1638355, 1709351, 1709360, 1802749, 1802750, 1802751    
Bug Blocks: 1631825    

Description Pedro Sampaio 2018-09-21 16:00:27 UTC 
A flaw was found in python's _elementtree.c module, a wrapper for libexpat XML parser. xml.etree C accelerator don't call XML_SetHashSalt(), failing to properly initiate the random hash seed from a good CSPRNG source and making hash collision attacks with carefully crafted XML data easier.

Upstream bug:

https://bugs.python.org/issue34623.
Comment 1 Pedro Sampaio 2018-09-21 16:01:58 UTC 
Acknowledgments:

Name: the Python Security Response Team
Comment 2 Doran Moppert 2018-09-24 05:51:35 UTC 
Note that expat >=2.2.2 will internally initialize the hash salt with a more securely generated value providing arc4random, getrandom or /dev/urandom is available. The risk is greatest on earlier versions of expat (eg 2.1.0) or where such sources are not available.
Comment 3 Doran Moppert 2018-09-24 05:51:54 UTC 
External References:

https://bugs.python.org/issue34623
Comment 4 Doran Moppert 2018-09-24 05:54:41 UTC 
Created python2 tracking bugs for this issue:

Affects: fedora-all [bug 1632089]


Created python26 tracking bugs for this issue:

Affects: fedora-all [bug 1632084]


Created python3 tracking bugs for this issue:

Affects: fedora-all [bug 1632085]


Created python33 tracking bugs for this issue:

Affects: fedora-all [bug 1632088]


Created python34 tracking bugs for this issue:

Affects: epel-6 [bug 1632091]
Affects: epel-7 [bug 1632092]
Affects: fedora-all [bug 1632086]


Created python35 tracking bugs for this issue:

Affects: fedora-all [bug 1632087]


Created python36 tracking bugs for this issue:

Affects: epel-7 [bug 1632093]


Created python37 tracking bugs for this issue:

Affects: fedora-all [bug 1632090]
Comment 6 Doran Moppert 2018-09-24 06:05:30 UTC 
Expat's low-quality hash initialization as known as CVE-2016-5300:

https://bugzilla.redhat.com/show_bug.cgi?id=1343085
https://github.com/libexpat/libexpat/pull/30/commits
Comment 7 Miro HronĨok 2018-09-24 10:06:32 UTC 
I miss python36 fedora-all bugzilla.
Comment 8 Doran Moppert 2018-09-25 02:38:03 UTC 
Created python36 tracking bugs for this issue:

Affects: fedora-all [bug 1632531]
Comment 10 errata-xmlrpc 2019-05-22 12:01:49 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS

Via RHSA-2019:1260 https://access.redhat.com/errata/RHSA-2019:1260
Comment 11 errata-xmlrpc 2019-08-06 12:04:48 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:2030 https://access.redhat.com/errata/RHSA-2019:2030
Comment 12 errata-xmlrpc 2019-11-06 09:45:15 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6

Via RHSA-2019:3725 https://access.redhat.com/errata/RHSA-2019:3725
Comment 14 errata-xmlrpc 2020-04-01 08:34:04 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.5 Extended Update Support

Via RHSA-2020:1268 https://access.redhat.com/errata/RHSA-2020:1268
Comment 15 errata-xmlrpc 2020-04-07 09:33:26 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Advanced Update Support
  Red Hat Enterprise Linux 7.4 Telco Extended Update Support
  Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions

Via RHSA-2020:1346 https://access.redhat.com/errata/RHSA-2020:1346
Comment 16 errata-xmlrpc 2020-04-14 17:39:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Extended Update Support

Via RHSA-2020:1462 https://access.redhat.com/errata/RHSA-2020:1462