| Summary: | dev-python/pyxml: hash table collisions CPU usage DoS (oCERT-2011-003) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED WONTFIX | ||
| Severity: | minor | CC: | python |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://bugzilla.redhat.com/show_bug.cgi?id=787109 | ||
| Whiteboard: | B3 [upstream] | ||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | |||
| Bug Blocks: | 396397 | ||
<@maintainer(s): after the bump> What bump?? The copy pasted paragraph tells us Bz 750555 has already been fixed no less than 2 years ago in Cpython. Then "In other words no action should be neccesary from upstream to correct this". There is no traceable patch CVE patch. If one is made feel free to tell us. No traceable information for this vulnerability. No other distro has anything either regarding the matter either. |
From ${URL} : However upstream PyXML will still be affected Juraj Somorovsky reported that certain XML parsers/servers are affected by the same, or similar, flaw as the hash table collisions CPU usage denial of service. Sending a specially crafted message to an XML service can result in longer processing time, which could lead to a denial of service. It is reported that this attack on XML can be applied on different XML nodes (such as entities, element attributes, namespaces, various elements in the XML security, etc.). PyXML is written in Python and makes significant use of arrays. It is unclear if fixing the Python array hash DoS bug (Bz 750555) will completely address this issue however at first glance it would appear to be the case. In other words no action should be neccesary from upstream to correct this. Additionally our PyXML uses the system expat (from the spec file): @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.