An XML External Entity (XXE) issue was discovered in Python through 3.9.1. The plistlib module no longer accepts entity declarations in XML plist files to avoid XML vulnerabilities.
Created python2.7 tracking bugs for this issue: Affects: fedora-all [bug 2240062] Created python3.10 tracking bugs for this issue: Affects: fedora-all [bug 2240064] Created python3.11 tracking bugs for this issue: Affects: fedora-all [bug 2240061] Created python3.12 tracking bugs for this issue: Affects: fedora-all [bug 2240065] Created python3.6 tracking bugs for this issue: Affects: fedora-all [bug 2240066] Created python3.7 tracking bugs for this issue: Affects: fedora-all [bug 2240067] Created python3.8 tracking bugs for this issue: Affects: fedora-all [bug 2240068] Created python3.9 tracking bugs for this issue: Affects: fedora-all [bug 2240069] Created python34 tracking bugs for this issue: Affects: epel-all [bug 2240060]
Upstream issue: https://bugs.python.org/issue42051 https://github.com/python/cpython/issues/86217
Upstream commits: https://github.com/python/cpython/commit/05ee790f4d1cd8725a90b54268fc1dfe5b4d1fa2 (v3.10.0a2) https://github.com/python/cpython/commit/479553c7c11306a09ce34edb6ef208133b7b95fe (v3.9.1rc1) https://github.com/python/cpython/commit/65894cac0835cb8f469f649e20aa1be8bf89f5ae (v3.8.7rc1) https://github.com/python/cpython/commit/e512bc799e3864fe3b1351757261762d63471efc (v3.7.10) https://github.com/python/cpython/commit/a158fb9c5138db94adf24fbc5690467cda811163 (v3.6.13)
The versions of Python as shipped with Red Hat Enterprise Linux 8 and Red Hat Enterprise Linux 9 either has fixed code or they just provide `symlinks` to the main `python3` component, which provides the actual interpreter of the Python programming language. Based on this, both Red Hat Enterpise Linux versions 8 and 9 are not affected.
In reply to comment #11: > The versions of Python as shipped with Red Hat Enterprise Linux 8 and Red > Hat Enterprise Linux 9 either has fixed code or they just provide `symlinks` > to the main `python3` component, which provides the actual interpreter of > the Python programming language. Based on this, both Red Hat Enterpise Linux > versions 8 and 9 are not affected. The plistlib module in python is used to generate and parse Apple .plist files that are commonly used for configuration and storage of application-specific settings and preferences within the context of Apple's macOS and iOS ecosystems. It is not in the general use case to parse plist files over the network. Also, in Python 3, all external entity expansions are disabled.
In reply to comment #12: > The plistlib module in python is used to generate and parse Apple .plist > files > that are commonly used for configuration and storage of application-specific > settings and preferences within the context of Apple's macOS and iOS > ecosystems. > It is not in the general use case to parse plist files over the network. > Also, > in Python 3, all external entity expansions are disabled. + The conditions for this vulnerability to be exploited: - Have a vulnerable python installed - Utilize the plistlib module - Parse a vulnerable .plist file Makes it highly improbable for a general remote use case.
FEDORA-2023-348a0dbcf3 has been pushed to the Fedora 38 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2023-ea38857cc3 has been pushed to the Fedora 39 stable repository. If problem still persists, please make note of it in this bug report.