Bug 1222075

Summary: VUL-0: CVE-2023-52425: python,python3,python310,python311,python36,python39: expat: denial of service (resource consumption) caused by processing large tokens
Product: [Novell Products] SUSE Security Incidents Reporter: Andrea Mattiazzo <andrea.mattiazzo>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: IN_PROGRESS --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: ali.abdallah, andrea.mattiazzo, andreas.taschner, camila.matos, david.anes, kstreitova, mcepl, meissner, saweber, security-team, simonf.lees, smash_bz, stoyan.manolov
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/392985/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on: 1219559    
Bug Blocks:    

Description Andrea Mattiazzo 2024-03-27 13:19:34 UTC 
+++ This bug was initially created as a clone of Bug #1219559 +++

libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-52425
https://www.cve.org/CVERecord?id=CVE-2023-52425

Patch:
https://github.com/libexpat/libexpat/pull/789
Comment 1 Andrea Mattiazzo 2024-03-27 13:45:13 UTC 
Thanks for starting patching the expat version inside python packages:

https://build.opensuse.org/request/show/1160579 Factory / python310
https://build.opensuse.org/request/show/1160580 Factory / python39
https://build.opensuse.org/request/show/1160582 Factory / python38
https://build.opensuse.org/request/show/1161042 Factory / python39
https://build.opensuse.org/request/show/1161074 Factory / python310
https://build.suse.de/request/show/324705 SLE-15-SP4 / python310
https://build.suse.de/request/show/324706 SLE-15-SP3 / python39

For tracking purposes, if I am not wrong the patch also is needed in these python packages since expat library is included as builtin module as pyexpat also here:

openSUSE:Factory/python
openSUSE:Factory/python38 - already done
openSUSE:Factory/python39 - already done
openSUSE:Factory/python310 - already done
openSUSE:Factory/python311
openSUSE:Factory/python312

SUSE:SLE-11-SP1:Update/python
SUSE:SLE-12-SP1:Update/python
SUSE:SLE-12-SP4:Update/python
SUSE:SLE-15:Update/python

SUSE:SLE-12:Update/python3
SUSE:SLE-15-SP3:Update/python3
SUSE:SLE-15:Update/python3

SUSE:SLE-15-SP4:Update/python310 - already done

SUSE:ALP:Source:Standard:1.0/python311
SUSE:SLE-15-SP4:Update/python311

SUSE:SLE-12-SP3:Update:Products:Teradata:Update/python36
SUSE:SLE-12-SP5:Update/python36

SUSE:SLE-15-SP3:Update/python39 - already done
Comment 3 OBSbugzilla Bot 2024-04-11 20:55:04 UTC 
This is an autogenerated message for OBS integration:
This bug (1222075) was mentioned in
https://build.opensuse.org/request/show/1166947 Factory / python312
Comment 6 Matej Cepl 2024-04-19 22:33:06 UTC 
I think all SRs were submitted.
Comment 12 Maintenance Automation 2024-05-24 16:30:12 UTC 
SUSE-SU-2024:1774-1: An update that solves two vulnerabilities and has three security fixes can now be installed.

Category: security (important)
Bug References: 1219559, 1220664, 1221563, 1221854, 1222075
CVE References: CVE-2023-52425, CVE-2024-0450
Maintenance Incident: [SUSE:Maintenance:33975](https://smelt.suse.de/incident/33975/)
Sources used:
SUSE Linux Enterprise Micro 5.1 (src):
 python3-3.6.15-150000.3.147.1, python3-core-3.6.15-150000.3.147.1
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src):
 python3-3.6.15-150000.3.147.1, python3-core-3.6.15-150000.3.147.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src):
 python3-3.6.15-150000.3.147.1, python3-core-3.6.15-150000.3.147.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src):
 python3-3.6.15-150000.3.147.1, python3-core-3.6.15-150000.3.147.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Maintenance Automation 2024-05-29 20:30:02 UTC 
SUSE-SU-2024:1847-1: An update that solves four vulnerabilities and has four security fixes can now be installed.

Category: security (important)
Bug References: 1214691, 1219559, 1219666, 1220664, 1221563, 1221854, 1222075, 1222109
CVE References: CVE-2022-48566, CVE-2023-52425, CVE-2023-6597, CVE-2024-0450
Maintenance Incident: [SUSE:Maintenance:33972](https://smelt.suse.de/incident/33972/)
Sources used:
SUSE Linux Enterprise Software Development Kit 12 SP5 (src):
 python36-core-3.6.15-55.1
SUSE Linux Enterprise High Performance Computing 12 SP5 (src):
 python36-core-3.6.15-55.1, python36-3.6.15-55.1
SUSE Linux Enterprise Server 12 SP5 (src):
 python36-core-3.6.15-55.1, python36-3.6.15-55.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src):
 python36-core-3.6.15-55.1, python36-3.6.15-55.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 16 Maintenance Automation 2024-07-15 16:36:31 UTC 
SUSE-SU-2024:2479-1: An update that solves four vulnerabilities and has three security fixes can now be installed.

Category: security (important)
Bug References: 1219559, 1220664, 1221563, 1221854, 1222075, 1226447, 1226448
CVE References: CVE-2023-52425, CVE-2024-0397, CVE-2024-0450, CVE-2024-4032
Maintenance Incident: [SUSE:Maintenance:33974](https://smelt.suse.de/incident/33974/)
Sources used:
openSUSE Leap 15.3 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2, python3-documentation-3.6.15-150300.10.65.1
openSUSE Leap Micro 5.3 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
openSUSE Leap Micro 5.4 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
openSUSE Leap 15.5 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2, python3-documentation-3.6.15-150300.10.65.1
openSUSE Leap 15.6 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2, python3-documentation-3.6.15-150300.10.65.1
SUSE Linux Enterprise Micro for Rancher 5.3 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
SUSE Linux Enterprise Micro 5.3 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
SUSE Linux Enterprise Micro for Rancher 5.4 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
SUSE Linux Enterprise Micro 5.4 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
SUSE Linux Enterprise Micro 5.5 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
Basesystem Module 15-SP5 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
Basesystem Module 15-SP6 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
Development Tools Module 15-SP5 (src):
 python3-core-3.6.15-150300.10.65.1
Development Tools Module 15-SP6 (src):
 python3-core-3.6.15-150300.10.65.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
SUSE Manager Proxy 4.3 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
SUSE Manager Retail Branch Server 4.3 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
SUSE Manager Server 4.3 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
SUSE Enterprise Storage 7.1 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
SUSE Linux Enterprise Micro 5.2 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
SUSE Linux Enterprise Micro for Rancher 5.2 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.