pythongh-115399: Document CVE-2023-52425 under "XML vulnerabilities" (p…

…ythonGH-115400) Doc/library/xml.rst: Document CVE-2023-52425 under "XML vulnerabilities" (cherry picked from commit fbd40ce) Co-authored-by: Sebastian Pipping <sebastian@pipping.org>
miss-islington · Feb 21, 2024 · d5fd04b · d5fd04b
1 parent dafb4f0
commit d5fd04b
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 0 deletions.
diff --git a/Doc/library/xml.rst b/Doc/library/xml.rst
@@ -68,6 +68,7 @@ quadratic blowup           **Vulnerable** (1)  **Vulnerable** (1)  **Vulnerable*
 external entity expansion  Safe (5)            Safe (2)            Safe (3)            Safe (5)            Safe (4)
 `DTD`_ retrieval           Safe (5)            Safe                Safe                Safe (5)            Safe
 decompression bomb         Safe                Safe                Safe                Safe                **Vulnerable**
+large tokens               **Vulnerable** (6)  **Vulnerable** (6)  **Vulnerable** (6)  **Vulnerable** (6)  **Vulnerable** (6)
 =========================  ==================  ==================  ==================  ==================  ==================
 
 1. Expat 2.4.1 and newer is not vulnerable to the "billion laughs" and
@@ -81,6 +82,11 @@ decompression bomb         Safe                Safe                Safe
 4. :mod:`xmlrpclib` doesn't expand external entities and omits them.
 5. Since Python 3.7.1, external general entities are no longer processed by
    default.
+6. Expat 2.6.0 and newer is not vulnerable to denial of service
+   through quadratic runtime caused by parsing large tokens.
+   Items still listed as vulnerable due to
+   potential reliance on system-provided libraries. Check
+   :const:`!pyexpat.EXPAT_VERSION`.
 
 
 billion laughs / exponential entity expansion
@@ -114,6 +120,13 @@ decompression bomb
   files. For an attacker it can reduce the amount of transmitted data by three
   magnitudes or more.
 
+large tokens
+  Expat needs to re-parse unfinished tokens; without the protection
+  introduced in Expat 2.6.0, this can lead to quadratic runtime that can
+  be used to cause denial of service in the application parsing XML.
+  The issue is known as
+  `CVE-2023-52425 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-52425>`_.
+
 The documentation for `defusedxml`_ on PyPI has further information about
 all known attack vectors with examples and references.
 

diff --git a/Misc/NEWS.d/next/Documentation/2024-02-14-20-17-04.gh-issue-115399.fb9a0R.rst b/Misc/NEWS.d/next/Documentation/2024-02-14-20-17-04.gh-issue-115399.fb9a0R.rst
@@ -0,0 +1 @@
+Document CVE-2023-52425 of Expat <2.6.0 under "XML vulnerabilities".