- Issue #14234: CVE-2012-0876: Randomize hashes of xml attributes in the hash

table internal to the pyexpat module's copy of the expat library to avoid a denial of service due to hash collisions. Patch by David Malcolm with some modifications by the expat project.

- Issue #14234: CVE-2012-0876: Randomize hashes of xml attributes in the hash
table internal to the pyexpat module's copy of the expat library to avoid a denial of service due to hash collisions. Patch by David Malcolm with some modifications by the expat project.
e9bc2f77 · Barry Warsaw · 6707826c · e9bc2f77 · e9bc2f77 · e9bc2f77
Commit e9bc2f77 authored Mar 14, 2012 by Barry Warsaw
5 changed files
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -2,6 +2,20 @@
 Python News
 +++++++++++
+What's New in Python 2.6.8 rc 2?
+================================
+*Release date: 2012-XX-XX*
+Library
+-------
+- Issue #14234: CVE-2012-0876: Randomize hashes of xml attributes in the hash
+  table internal to the pyexpat module's copy of the expat library to avoid a
+  denial of service due to hash collisions.  Patch by David Malcolm with some
+  modifications by the expat project.
 What's New in Python 2.6.8 rc 1?
 ================================
@@ -10,10 +24,11 @@ What's New in Python 2.6.8 rc 1?
 Core and Builtins
 -----------------
- Issue #13703: oCERT-2011-003: add -R command-line option and PYTHONHASHSEED
+- Issue #13703: oCERT-2011-003 CVE-2012-1150: add -R command-line
-  environment variable, to provide an opt-in way to protect against denial of
+  option and PYTHONHASHSEED environment variable, to provide an opt-in
-  service attacks due to hash collisions within the dict and set types.  Patch
+  way to protect against denial of service attacks due to hash
-  by David Malcolm, based on work by Victor Stinner.
+  collisions within the dict and set types.  Patch by David Malcolm,
+  based on work by Victor Stinner.
 Library
 -------

--- a/Modules/expat/expat.h
+++ b/Modules/expat/expat.h
@@ -883,6 +883,15 @@ XMLPARSEAPI(int)
 XML_SetParamEntityParsing(XML_Parser parser,
                          enum XML_ParamEntityParsing parsing);
+/* Sets the hash salt to use for internal hash calculations.
+   Helps in preventing DoS attacks based on predicting hash
+   function behavior. This must be called before parsing is started.
+   Returns 1 if successful, 0 when called after parsing has started.
+*/
+XMLPARSEAPI(int)
+XML_SetHashSalt(XML_Parser parser,
+                unsigned long hash_salt);
 /* If XML_Parse or XML_ParseBuffer have returned XML_STATUS_ERROR, then
   XML_GetErrorCode returns information about the error.
 */

--- a/Modules/expat/pyexpatns.h
+++ b/Modules/expat/pyexpatns.h
@@ -97,6 +97,7 @@
 #define XML_SetEntityDeclHandler        PyExpat_XML_SetEntityDeclHandler
 #define XML_SetExternalEntityRefHandler PyExpat_XML_SetExternalEntityRefHandler
 #define XML_SetExternalEntityRefHandlerArg  PyExpat_XML_SetExternalEntityRefHandlerArg
+#define XML_SetHashSalt                 PyExpat_XML_SetHashSalt
 #define XML_SetNamespaceDeclHandler     PyExpat_XML_SetNamespaceDeclHandler
 #define XML_SetNotationDeclHandler      PyExpat_XML_SetNotationDeclHandler
 #define XML_SetNotStandaloneHandler     PyExpat_XML_SetNotStandaloneHandler

--- a/Modules/expat/xmlparse.c
+++ b/Modules/expat/xmlparse.c
--- a/Modules/pyexpat.c
+++ b/Modules/pyexpat.c
@@ -1355,6 +1355,8 @@ newxmlparseobject(char *encoding, char *namespace_separator, PyObject *intern)
    else {
        self->itself = XML_ParserCreate(encoding);
    }
+    XML_SetHashSalt(self->itself,
+                    (unsigned long)_Py_HashSecret.prefix);
    self->intern = intern;
    Py_XINCREF(self->intern);
 #ifdef Py_TPFLAGS_HAVE_GC