From: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>
Date: Wed, 21 Feb 2024 11:43:16 +0000 (+0100)
Subject: [3.11] gh-115399: Document CVE-2023-52425 under "XML vulnerabilities" (GH-115400... 
X-Git-Tag: v3.11.9~162
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=6928d5e1f7a017f622e311d7cd574b17fe9e08f0;p=thirdparty%2FPython%2Fcpython.git

[3.11] gh-115399: Document CVE-2023-52425 under "XML vulnerabilities" (GH-115400) (GH-115761)

Doc/library/xml.rst: Document CVE-2023-52425 under "XML vulnerabilities"
(cherry picked from commit fbd40ce46e7335a5dbaf48a3aa841be22d7302ba)

Co-authored-by: Sebastian Pipping <sebastian@pipping.org>
---

diff --git a/Doc/library/xml.rst b/Doc/library/xml.rst
index 909022ea4ba6..662cc459197e 100644
--- a/Doc/library/xml.rst
+++ b/Doc/library/xml.rst
@@ -68,6 +68,7 @@ quadratic blowup           **Vulnerable** (1)  **Vulnerable** (1)  **Vulnerable*
 external entity expansion  Safe (5)            Safe (2)            Safe (3)            Safe (5)            Safe (4)
 `DTD`_ retrieval           Safe (5)            Safe                Safe                Safe (5)            Safe
 decompression bomb         Safe                Safe                Safe                Safe                **Vulnerable**
+large tokens               **Vulnerable** (6)  **Vulnerable** (6)  **Vulnerable** (6)  **Vulnerable** (6)  **Vulnerable** (6)
 =========================  ==================  ==================  ==================  ==================  ==================
 
 1. Expat 2.4.1 and newer is not vulnerable to the "billion laughs" and
@@ -81,6 +82,11 @@ decompression bomb         Safe                Safe                Safe
 4. :mod:`xmlrpc.client` doesn't expand external entities and omits them.
 5. Since Python 3.7.1, external general entities are no longer processed by
    default.
+6. Expat 2.6.0 and newer is not vulnerable to denial of service
+   through quadratic runtime caused by parsing large tokens.
+   Items still listed as vulnerable due to
+   potential reliance on system-provided libraries. Check
+   :const:`!pyexpat.EXPAT_VERSION`.
 
 
 billion laughs / exponential entity expansion
@@ -114,6 +120,13 @@ decompression bomb
   files. For an attacker it can reduce the amount of transmitted data by three
   magnitudes or more.
 
+large tokens
+  Expat needs to re-parse unfinished tokens; without the protection
+  introduced in Expat 2.6.0, this can lead to quadratic runtime that can
+  be used to cause denial of service in the application parsing XML.
+  The issue is known as
+  `CVE-2023-52425 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-52425>`_.
+
 The documentation for `defusedxml`_ on PyPI has further information about
 all known attack vectors with examples and references.
 
diff --git a/Misc/NEWS.d/next/Documentation/2024-02-14-20-17-04.gh-issue-115399.fb9a0R.rst b/Misc/NEWS.d/next/Documentation/2024-02-14-20-17-04.gh-issue-115399.fb9a0R.rst
new file mode 100644
index 000000000000..587aea802168
--- /dev/null
+++ b/Misc/NEWS.d/next/Documentation/2024-02-14-20-17-04.gh-issue-115399.fb9a0R.rst
@@ -0,0 +1 @@
+Document CVE-2023-52425 of Expat <2.6.0 under "XML vulnerabilities".