Bug 1631822 (CVE-2018-14647) - CVE-2018-14647 python: Missing salt initialization in _elementtree.c module
Summary: CVE-2018-14647 python: Missing salt initialization in _elementtree.c module
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-14647
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1632084 1632085 1632086 1632087 1632088 1632089 1632090 1632091 1632092 1632093 1632094 1632095 1632096 1632531 1636838 1636839 1636840 1636841 1638355 1709351 1709360 1802749 1802750 1802751
Blocks: 1631825
TreeView+ depends on / blocked
 
Reported: 2018-09-21 16:00 UTC by Pedro Sampaio
Modified: 2021-02-16 23:01 UTC (History)
23 users (show)

Fixed In Version: python 3.7.1, python 3.6.7, python 2.7.16
Doc Type: If docs needed, set a value
Doc Text:
Python's elementtree C accelerator failed to initialise Expat's hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by contructing an XML document that would cause pathological hash collisions in Expat's internal data structures, consuming large amounts CPU and RAM.
Clone Of:
Environment:
Last Closed: 2019-06-10 10:38:28 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:1260 0 None None None 2019-05-22 12:01:50 UTC
Red Hat Product Errata RHSA-2019:2030 0 None None None 2019-08-06 12:04:49 UTC
Red Hat Product Errata RHSA-2019:3725 0 None None None 2019-11-06 09:45:17 UTC
Red Hat Product Errata RHSA-2020:1268 0 None None None 2020-04-01 08:34:08 UTC
Red Hat Product Errata RHSA-2020:1346 0 None None None 2020-04-07 09:33:29 UTC
Red Hat Product Errata RHSA-2020:1462 0 None None None 2020-04-14 17:39:54 UTC

Description Pedro Sampaio 2018-09-21 16:00:27 UTC 
A flaw was found in python's _elementtree.c module, a wrapper for libexpat XML parser. xml.etree C accelerator don't call XML_SetHashSalt(), failing to properly initiate the random hash seed from a good CSPRNG source and making hash collision attacks with carefully crafted XML data easier.

Upstream bug:

https://bugs.python.org/issue34623.
Comment 1 Pedro Sampaio 2018-09-21 16:01:58 UTC 
Acknowledgments:

Name: the Python Security Response Team
Comment 2 Doran Moppert 2018-09-24 05:51:35 UTC 
Note that expat >=2.2.2 will internally initialize the hash salt with a more securely generated value providing arc4random, getrandom or /dev/urandom is available. The risk is greatest on earlier versions of expat (eg 2.1.0) or where such sources are not available.
Comment 3 Doran Moppert 2018-09-24 05:51:54 UTC 
External References:

https://bugs.python.org/issue34623
Comment 4 Doran Moppert 2018-09-24 05:54:41 UTC 
Created python2 tracking bugs for this issue:

Affects: fedora-all [bug 1632089]


Created python26 tracking bugs for this issue:

Affects: fedora-all [bug 1632084]


Created python3 tracking bugs for this issue:

Affects: fedora-all [bug 1632085]


Created python33 tracking bugs for this issue:

Affects: fedora-all [bug 1632088]


Created python34 tracking bugs for this issue:

Affects: epel-6 [bug 1632091]
Affects: epel-7 [bug 1632092]
Affects: fedora-all [bug 1632086]


Created python35 tracking bugs for this issue:

Affects: fedora-all [bug 1632087]


Created python36 tracking bugs for this issue:

Affects: epel-7 [bug 1632093]


Created python37 tracking bugs for this issue:

Affects: fedora-all [bug 1632090]
Comment 6 Doran Moppert 2018-09-24 06:05:30 UTC 
Expat's low-quality hash initialization as known as CVE-2016-5300:

https://bugzilla.redhat.com/show_bug.cgi?id=1343085
https://github.com/libexpat/libexpat/pull/30/commits
Comment 7 Miro Hrončok 2018-09-24 10:06:32 UTC 
I miss python36 fedora-all bugzilla.
Comment 8 Doran Moppert 2018-09-25 02:38:03 UTC 
Created python36 tracking bugs for this issue:

Affects: fedora-all [bug 1632531]
Comment 10 errata-xmlrpc 2019-05-22 12:01:49 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS

Via RHSA-2019:1260 https://access.redhat.com/errata/RHSA-2019:1260
Comment 11 errata-xmlrpc 2019-08-06 12:04:48 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:2030 https://access.redhat.com/errata/RHSA-2019:2030
Comment 12 errata-xmlrpc 2019-11-06 09:45:15 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6

Via RHSA-2019:3725 https://access.redhat.com/errata/RHSA-2019:3725
Comment 14 errata-xmlrpc 2020-04-01 08:34:04 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.5 Extended Update Support

Via RHSA-2020:1268 https://access.redhat.com/errata/RHSA-2020:1268
Comment 15 errata-xmlrpc 2020-04-07 09:33:26 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Advanced Update Support
  Red Hat Enterprise Linux 7.4 Telco Extended Update Support
  Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions

Via RHSA-2020:1346 https://access.redhat.com/errata/RHSA-2020:1346
Comment 16 errata-xmlrpc 2020-04-14 17:39:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Extended Update Support

Via RHSA-2020:1462 https://access.redhat.com/errata/RHSA-2020:1462
Note You need to log in before you can comment on or make changes to this bug.