1222075 – VUL-0: CVE-2023-52425: python,python3,python310,python311,python36,python39: expat: denial of service (resource consumption) caused by processing large tokens

Bug 1222075 - VUL-0: CVE-2023-52425: python,python3,python310,python311,python36,python39: expat: denial of service (resource consumption) caused by processing large tokens

Summary: VUL-0: CVE-2023-52425: python,python3,python310,python311,python36,python39: ...

Status:	IN_PROGRESS

Alias:	None

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/392985/
Whiteboard:
Keywords:

Depends on:	CVE-2023-52425
Blocks:
	Show dependency tree / graph

Clone This Bug

Reported:	2024-03-27 13:19 UTC by Andrea Mattiazzo
Modified:	2024-07-15 16:36 UTC (History)
CC List:	13 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Andrea Mattiazzo 2024-03-27 13:19:34 UTC

+++ This bug was initially created as a clone of Bug #1219559 +++

libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-52425
https://www.cve.org/CVERecord?id=CVE-2023-52425

Patch:
https://github.com/libexpat/libexpat/pull/789

Comment 1 Andrea Mattiazzo 2024-03-27 13:45:13 UTC

Thanks for starting patching the expat version inside python packages:

https://build.opensuse.org/request/show/1160579 Factory / python310
https://build.opensuse.org/request/show/1160580 Factory / python39
https://build.opensuse.org/request/show/1160582 Factory / python38
https://build.opensuse.org/request/show/1161042 Factory / python39
https://build.opensuse.org/request/show/1161074 Factory / python310
https://build.suse.de/request/show/324705 SLE-15-SP4 / python310
https://build.suse.de/request/show/324706 SLE-15-SP3 / python39

For tracking purposes, if I am not wrong the patch also is needed in these python packages since expat library is included as builtin module as pyexpat also here:

openSUSE:Factory/python
openSUSE:Factory/python38 - already done
openSUSE:Factory/python39 - already done
openSUSE:Factory/python310 - already done
openSUSE:Factory/python311
openSUSE:Factory/python312

SUSE:SLE-11-SP1:Update/python
SUSE:SLE-12-SP1:Update/python
SUSE:SLE-12-SP4:Update/python
SUSE:SLE-15:Update/python

SUSE:SLE-12:Update/python3
SUSE:SLE-15-SP3:Update/python3
SUSE:SLE-15:Update/python3

SUSE:SLE-15-SP4:Update/python310 - already done

SUSE:ALP:Source:Standard:1.0/python311
SUSE:SLE-15-SP4:Update/python311

SUSE:SLE-12-SP3:Update:Products:Teradata:Update/python36
SUSE:SLE-12-SP5:Update/python36

SUSE:SLE-15-SP3:Update/python39 - already done

Comment 3 OBSbugzilla Bot 2024-04-11 20:55:04 UTC

This is an autogenerated message for OBS integration:
This bug (1222075) was mentioned in
https://build.opensuse.org/request/show/1166947 Factory / python312

Comment 6 Matej Cepl 2024-04-19 22:33:06 UTC

I think all SRs were submitted.

Comment 12 Maintenance Automation 2024-05-24 16:30:12 UTC

SUSE-SU-2024:1774-1: An update that solves two vulnerabilities and has three security fixes can now be installed.

Category: security (important)
Bug References: 1219559, 1220664, 1221563, 1221854, 1222075
CVE References: CVE-2023-52425, CVE-2024-0450
Maintenance Incident: [SUSE:Maintenance:33975](https://smelt.suse.de/incident/33975/)
Sources used:
SUSE Linux Enterprise Micro 5.1 (src):
 python3-3.6.15-150000.3.147.1, python3-core-3.6.15-150000.3.147.1
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src):
 python3-3.6.15-150000.3.147.1, python3-core-3.6.15-150000.3.147.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src):
 python3-3.6.15-150000.3.147.1, python3-core-3.6.15-150000.3.147.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src):
 python3-3.6.15-150000.3.147.1, python3-core-3.6.15-150000.3.147.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 13 Maintenance Automation 2024-05-29 20:30:02 UTC

SUSE-SU-2024:1847-1: An update that solves four vulnerabilities and has four security fixes can now be installed.

Category: security (important)
Bug References: 1214691, 1219559, 1219666, 1220664, 1221563, 1221854, 1222075, 1222109
CVE References: CVE-2022-48566, CVE-2023-52425, CVE-2023-6597, CVE-2024-0450
Maintenance Incident: [SUSE:Maintenance:33972](https://smelt.suse.de/incident/33972/)
Sources used:
SUSE Linux Enterprise Software Development Kit 12 SP5 (src):
 python36-core-3.6.15-55.1
SUSE Linux Enterprise High Performance Computing 12 SP5 (src):
 python36-core-3.6.15-55.1, python36-3.6.15-55.1
SUSE Linux Enterprise Server 12 SP5 (src):
 python36-core-3.6.15-55.1, python36-3.6.15-55.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src):
 python36-core-3.6.15-55.1, python36-3.6.15-55.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 16 Maintenance Automation 2024-07-15 16:36:31 UTC

SUSE-SU-2024:2479-1: An update that solves four vulnerabilities and has three security fixes can now be installed.

Category: security (important)
Bug References: 1219559, 1220664, 1221563, 1221854, 1222075, 1226447, 1226448
CVE References: CVE-2023-52425, CVE-2024-0397, CVE-2024-0450, CVE-2024-4032
Maintenance Incident: [SUSE:Maintenance:33974](https://smelt.suse.de/incident/33974/)
Sources used:
openSUSE Leap 15.3 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2, python3-documentation-3.6.15-150300.10.65.1
openSUSE Leap Micro 5.3 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
openSUSE Leap Micro 5.4 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
openSUSE Leap 15.5 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2, python3-documentation-3.6.15-150300.10.65.1
openSUSE Leap 15.6 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2, python3-documentation-3.6.15-150300.10.65.1
SUSE Linux Enterprise Micro for Rancher 5.3 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
SUSE Linux Enterprise Micro 5.3 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
SUSE Linux Enterprise Micro for Rancher 5.4 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
SUSE Linux Enterprise Micro 5.4 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
SUSE Linux Enterprise Micro 5.5 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
Basesystem Module 15-SP5 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
Basesystem Module 15-SP6 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
Development Tools Module 15-SP5 (src):
 python3-core-3.6.15-150300.10.65.1
Development Tools Module 15-SP6 (src):
 python3-core-3.6.15-150300.10.65.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
SUSE Manager Proxy 4.3 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
SUSE Manager Retail Branch Server 4.3 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
SUSE Manager Server 4.3 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
SUSE Enterprise Storage 7.1 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
SUSE Linux Enterprise Micro 5.2 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
SUSE Linux Enterprise Micro for Rancher 5.2 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.