Bug 1631822 (CVE-2018-14647) - CVE-2018-14647 python: Missing salt initialization in _elementtree.c module
Summary: CVE-2018-14647 python: Missing salt initialization in _elementtree.c module
Status: CLOSED ERRATA
Alias: CVE-2018-14647
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20180922,repor...
Keywords: Security
Depends On: 1636838 1636841 1709351 1632084 1632085 1632086 1632087 1632088 1632089 1632090 1632091 1632092 1632093 1632094 1632095 1632096 1632531 1636839 1636840 1638355 1709360
Blocks: 1631825
TreeView+ depends on / blocked
 
Reported: 2018-09-21 16:00 UTC by Pedro Sampaio
Modified: 2019-06-14 09:04 UTC (History)
23 users (show)

(edit)
Python's elementtree C accelerator failed to initialise Expat's hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by contructing an XML document that would cause pathological hash collisions in Expat's internal data structures, consuming large amounts CPU and RAM.
Clone Of:
(edit)
Last Closed: 2019-06-10 10:38:28 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:1260 None None None 2019-05-22 12:01 UTC

Description Pedro Sampaio 2018-09-21 16:00:27 UTC
A flaw was found in python's _elementtree.c module, a wrapper for libexpat XML parser. xml.etree C accelerator don't call XML_SetHashSalt(), failing to properly initiate the random hash seed from a good CSPRNG source and making hash collision attacks with carefully crafted XML data easier.

Upstream bug:

https://bugs.python.org/issue34623.

Comment 1 Pedro Sampaio 2018-09-21 16:01:58 UTC
Acknowledgments:

Name: the Python Security Response Team

Comment 2 Doran Moppert 2018-09-24 05:51:35 UTC
Note that expat >=2.2.2 will internally initialize the hash salt with a more securely generated value providing arc4random, getrandom or /dev/urandom is available. The risk is greatest on earlier versions of expat (eg 2.1.0) or where such sources are not available.

Comment 3 Doran Moppert 2018-09-24 05:51:54 UTC
External References:

https://bugs.python.org/issue34623

Comment 4 Doran Moppert 2018-09-24 05:54:41 UTC
Created python2 tracking bugs for this issue:

Affects: fedora-all [bug 1632089]


Created python26 tracking bugs for this issue:

Affects: fedora-all [bug 1632084]


Created python3 tracking bugs for this issue:

Affects: fedora-all [bug 1632085]


Created python33 tracking bugs for this issue:

Affects: fedora-all [bug 1632088]


Created python34 tracking bugs for this issue:

Affects: epel-6 [bug 1632091]
Affects: epel-7 [bug 1632092]
Affects: fedora-all [bug 1632086]


Created python35 tracking bugs for this issue:

Affects: fedora-all [bug 1632087]


Created python36 tracking bugs for this issue:

Affects: epel-7 [bug 1632093]


Created python37 tracking bugs for this issue:

Affects: fedora-all [bug 1632090]

Comment 6 Doran Moppert 2018-09-24 06:05:30 UTC
Expat's low-quality hash initialization as known as CVE-2016-5300:

https://bugzilla.redhat.com/show_bug.cgi?id=1343085
https://github.com/libexpat/libexpat/pull/30/commits

Comment 7 Miro Hrončok 2018-09-24 10:06:32 UTC
I miss python36 fedora-all bugzilla.

Comment 8 Doran Moppert 2018-09-25 02:38:03 UTC
Created python36 tracking bugs for this issue:

Affects: fedora-all [bug 1632531]

Comment 10 errata-xmlrpc 2019-05-22 12:01:49 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS

Via RHSA-2019:1260 https://access.redhat.com/errata/RHSA-2019:1260


Note You need to log in before you can comment on or make changes to this bug.