[3.14] gh-90949: add Expat API to prevent XML deadly allocations (CVE-2025-59375) (GH-139234) #139359
Conversation
picnixz
force-pushed
the
backport-f04bea4-3.14
branch
from
2c87b60 to
1f60895
Compare
picnixz
force-pushed
the
backport-f04bea4-3.14
branch
from
1f60895 to
f2030ab
Compare
CVE-2025-59375) (pythonGH-139234) Expose the XML Expat 2.7.2 mitigation APIs to disallow use of disproportional amounts of dynamic memory from within an Expat parser (see CVE-2025-59375 for instance). The exposed APIs are available on Expat parsers, that is, parsers created by `xml.parsers.expat.ParserCreate()`, as: - `parser.SetAllocTrackerActivationThreshold(threshold)`, and - `parser.SetAllocTrackerMaximumAmplification(max_factor)`. (cherry picked from commit f04bea4) Co-authored-by: Bénédikt Tran <[email protected]>
picnixz
force-pushed
the
backport-f04bea4-3.14
branch
from
f2030ab to
3c430ec
Compare
|
I'll wait until gh-139366 is merged to ease future backports |
This comment was marked as resolved.
This comment was marked as resolved.
…on API (python#139366) Fix some typos left in f04bea4, and simplify some internal functions to ease maintenance of future mitigation APIs.
|
A core developer needs to review it, and the release manager needs to approve it because we're in RC3 phase. I really want at least two core devs to check this PR to be sure I didn't mess the backports. I didn't backport the docs changes that will be added in the next one (the one for billion laughs). |
|
@picnixz so the plan is to first get review from Gregory and only then Hugo, I see 👍 |
|
I would be happy if you could also review it as you're an expert here as well :') |
There was a problem hiding this comment.
I would be happy if you could also review it as you're an expert here as well :')
@picnixz done, looks good 👍
My method of review has been comparing (1) the diff of #139234 against main with (2) the diff in here. What I found was no difference but:
Doc/whatsnew/3.15.rstonmainside but not 3.14 (as expected)@permit_long_*onmainside but not 3.14 (as expected)
The tools I used for this were git rebase -i, git diff and Meld.
So if #139234 was alright (which I believe) then very likely this is, too 👍
|
Thank you for the review. I'll let Gregory have a look and then Hugo can hit merge I think (only he can merge during RC phase). For the other branches, I would suggest you continue your branch for 3.13 with the latest stuff (or try to directly cherry-pick this specific PR with a new one). I think we should be able to backport this PR to 3.13 directly without too many conflicts (I hope). |
|
FWIW when to merge this is up to the release manager (hugovk). As we're treating it as a security mitigation feature similar to past such things and adding it to older releases as well, that suggests letting this wait for 3.14.1 is fine. |
|
Note for the RM: we have a UAF in all branches, independently of Expat version: See #139400. So I would prefer that this one is not backported until we fix it. On 3.14 we don't see the crash, but on 3.13 (and probably on older branches), we will also see it. I believe we are able not to crash by chance due to some magic in incremental GC. |
…and a WIP candidate fix at #139403.
@picnixz In my tests on another notebook I saw two other branches affected directly and once we add |
|
We will merge this one in 3.14.1 (3.14 is now ongoing its release process). To have a good synchronization, we'll also delay 3.10 to 3.13 backports for their next release cycle. |
Expose the XML Expat 2.7.2 mitigation APIs to disallow use of disproportional amounts of dynamic memory from within an Expat parser (see CVE-2025-59375 for instance).
The exposed APIs are available on Expat parsers, that is, parsers created by
xml.parsers.expat.ParserCreate(), as:parser.SetAllocTrackerActivationThreshold(threshold), andparser.SetAllocTrackerMaximumAmplification(max_factor).(cherry picked from commits f04bea4 and 68a1778)
📚 Documentation preview 📚: https://cpython-previews--139359.org.readthedocs.build/