New submission from Dave Malcolm <dmalc...@redhat.com>: Expat 2.1.0 Beta was recently announced: http://mail.libexpat.org/pipermail/expat-discuss/2012-March/002768.html which contains (among other things) a fix for a hash-collision denial-of-service attack (CVE-2012-0876)
I'm attaching a patch which minimally backports the hash-collision fix part of expat 2.1.0 to the embedded copy of expat in the CPython source tree, and which adds a call to XML_SetHashSalt() to pyexpat when creating parsers. It reuses part of the hash secret from Py_HashSecret. ---------- components: XML files: expat-hash-randomization.patch keywords: patch messages: 155198 nosy: dmalcolm priority: normal severity: normal status: open title: CVE-2012-0876 (hash table collisions CPU usage DoS) for embedded copy of expat versions: Python 2.6, Python 2.7, Python 3.1, Python 3.2, Python 3.3, Python 3.4 Added file: http://bugs.python.org/file24762/expat-hash-randomization.patch _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue14234> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
