Bug 2240059 (CVE-2022-48565)

Summary: CVE-2022-48565 python: XML External Entity in XML processing plistlib module
Product: [Other] Security Response Reporter: msiddiqu
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: hhorak, jorton, python-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: python 3.10.0a2, python 3.9.1rc, python 3.8.7rc1, python 3.7.10, python 3.6.13 Doc Type: ---
Doc Text:
A flaw was found in Python caused by improper handling of XML external entity (XXE) declarations by the plistlib module. By using a specially crafted XML content, an attacker could obtain sensitive information by disclosing files specified by parsing URI, and may cause denial of service by resource exhaustion.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2240060, 2240061, 2240062, 2240064, 2240065, 2240066, 2240067, 2240068, 2240069, 2240072    
Bug Blocks: 2240063    

Description msiddiqu 2023-09-21 15:45:01 UTC 
An XML External Entity (XXE) issue was discovered in Python through 3.9.1. The plistlib module no longer accepts entity declarations in XML plist files to avoid XML vulnerabilities.
Comment 1 msiddiqu 2023-09-21 15:46:21 UTC 
Created python2.7 tracking bugs for this issue:

Affects: fedora-all [bug 2240062]


Created python3.10 tracking bugs for this issue:

Affects: fedora-all [bug 2240064]


Created python3.11 tracking bugs for this issue:

Affects: fedora-all [bug 2240061]


Created python3.12 tracking bugs for this issue:

Affects: fedora-all [bug 2240065]


Created python3.6 tracking bugs for this issue:

Affects: fedora-all [bug 2240066]


Created python3.7 tracking bugs for this issue:

Affects: fedora-all [bug 2240067]


Created python3.8 tracking bugs for this issue:

Affects: fedora-all [bug 2240068]


Created python3.9 tracking bugs for this issue:

Affects: fedora-all [bug 2240069]


Created python34 tracking bugs for this issue:

Affects: epel-all [bug 2240060]
Comment 2 msiddiqu 2023-09-21 15:53:52 UTC 
Upstream issue:

https://bugs.python.org/issue42051
https://github.com/python/cpython/issues/86217
Comment 4 msiddiqu 2023-09-21 16:16:52 UTC 
Upstream commits:

https://github.com/python/cpython/commit/05ee790f4d1cd8725a90b54268fc1dfe5b4d1fa2 (v3.10.0a2)
https://github.com/python/cpython/commit/479553c7c11306a09ce34edb6ef208133b7b95fe (v3.9.1rc1)
https://github.com/python/cpython/commit/65894cac0835cb8f469f649e20aa1be8bf89f5ae (v3.8.7rc1)
https://github.com/python/cpython/commit/e512bc799e3864fe3b1351757261762d63471efc (v3.7.10)
https://github.com/python/cpython/commit/a158fb9c5138db94adf24fbc5690467cda811163 (v3.6.13)
Comment 11 msiddiqu 2023-09-22 13:08:51 UTC 
The versions of Python as shipped with Red Hat Enterprise Linux 8 and Red Hat Enterprise Linux 9 either has fixed code or they just provide `symlinks` to the main `python3` component, which provides the actual interpreter of the Python programming language. Based on this, both Red Hat Enterpise Linux versions 8 and 9 are not affected.
Comment 12 msiddiqu 2023-09-22 13:19:44 UTC 
In reply to comment #11:
> The versions of Python as shipped with Red Hat Enterprise Linux 8 and Red
> Hat Enterprise Linux 9 either has fixed code or they just provide `symlinks`
> to the main `python3` component, which provides the actual interpreter of
> the Python programming language. Based on this, both Red Hat Enterpise Linux
> versions 8 and 9 are not affected.

The plistlib module in python is used to generate and parse Apple .plist files
that are commonly used for configuration and storage of application-specific
settings and preferences within the context of Apple's macOS and iOS ecosystems.
It is not in the general use case to parse plist files over the network. Also,
in Python 3, all external entity expansions are disabled.
Comment 13 msiddiqu 2023-09-22 15:38:39 UTC 
In reply to comment #12:
 
> The plistlib module in python is used to generate and parse Apple .plist
> files
> that are commonly used for configuration and storage of application-specific
> settings and preferences within the context of Apple's macOS and iOS
> ecosystems.
> It is not in the general use case to parse plist files over the network.
> Also,
> in Python 3, all external entity expansions are disabled.

+ The conditions for this vulnerability to be exploited:

- Have a vulnerable python installed
- Utilize the plistlib module
- Parse a vulnerable .plist file

Makes it highly improbable for a general remote use case.
Comment 14 Fedora Update System 2023-10-21 01:29:39 UTC 
FEDORA-2023-348a0dbcf3 has been pushed to the Fedora 38 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 15 Fedora Update System 2023-11-03 18:36:11 UTC 
FEDORA-2023-ea38857cc3 has been pushed to the Fedora 39 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 16 errata-xmlrpc 2024-05-22 09:26:40 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:2987 https://access.redhat.com/errata/RHSA-2024:2987