[issue29591] Various security vulnerabilities in bundled expat
STINNER Victor
report at bugs.python.org
Fri Feb 17 10:41:46 EST 2017
STINNER Victor added the comment:
> CVE-2012-6702 (issue 519)
> Resolve troublesome internal call to srand that was introduced with Expat 2.1.0 when addressing CVE-2012-0876 (issue 496)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6702
Extract of Modules/pyexpat.c:
---
#if ((XML_MAJOR_VERSION >= 2) && (XML_MINOR_VERSION >= 1)) || defined(XML_HAS_SET_HASH_SALT)
/* This feature was added upstream in libexpat 2.1.0. Our expat copy
* has a backport of this feature where we also define XML_HAS_SET_HASH_SALT
* to indicate that we can still use it. */
XML_SetHashSalt(self->itself,
(unsigned long)_Py_HashSecret.prefix);
#endif
---
Python 2.7, 3.5, 3.6 and 3.7 have this call at least (I didn't check other versions).
----------
nosy: +christian.heimes, haypo
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue29591>
_______________________________________
More information about the Python-bugs-list
mailing list