Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP1:Update
python-base.32354
CVE-2022-48565-plistlib-XML-vulns.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2022-48565-plistlib-XML-vulns.patch of Package python-base.32354
From 4d8f9e2e4461de92bd1e0c92ed433480d761670f Mon Sep 17 00:00:00 2001 From: Ned Deily <nad@python.org> Date: Mon, 19 Oct 2020 22:36:27 -0400 Subject: [PATCH] bpo-42051: Reject XML entity declarations in plist files (GH-22760) (GH-22801) Co-authored-by: Ronald Oussoren <ronaldoussoren@mac.com> (cherry picked from commit e512bc799e3864fe3b1351757261762d63471efc) Co-authored-by: Ned Deily <nad@python.org> --- Lib/plistlib.py | 10 +++++ Lib/test/test_plistlib.py | 19 ++++++++++ Misc/NEWS.d/next/Security/2020-10-19-10-56-27.bpo-42051.EU_B7u.rst | 3 + 3 files changed, 32 insertions(+) create mode 100644 Misc/NEWS.d/next/Security/2020-10-19-10-56-27.bpo-42051.EU_B7u.rst --- a/Lib/plistlib.py +++ b/Lib/plistlib.py @@ -403,9 +403,19 @@ class PlistParser: parser.StartElementHandler = self.handleBeginElement parser.EndElementHandler = self.handleEndElement parser.CharacterDataHandler = self.handleData + parser.EntityDeclHandler = self.handle_entity_decl parser.ParseFile(fileobj) return self.root + def handle_entity_decl(self, entity_name, is_parameter_entity, value, + base, system_id, public_id, notation_name): + # Reject plist files with entity declarations to avoid XML + # vulnerabilies in expat. Regular plist files don't contain + # those declerations, and Apple's plutil tool does not accept + # them either. + raise ValueError( + "XML entity declarations are not supported in plist files") + def handleBeginElement(self, element, attrs): self.data = [] handler = getattr(self, "begin_" + element, None) --- a/Lib/test/test_plistlib.py +++ b/Lib/test/test_plistlib.py @@ -86,6 +86,19 @@ TESTDATA = """<?xml version="1.0" encodi </plist> """.replace(" " * 8, "\t") # Apple as well as plistlib.py output hard tabs +XML_PLIST_WITH_ENTITY=b'''\ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd" [ + <!ENTITY entity "replacement text"> + ]> +<plist version="1.0"> + <dict> + <key>A</key> + <string>&entity;</string> + </dict> +</plist> +''' + class TestPlistlib(unittest.TestCase): @@ -195,6 +208,12 @@ class TestPlistlib(unittest.TestCase): self.assertEqual(test1, result1) self.assertEqual(test2, result2) + def test_xml_plist_with_entity_decl(self): + with self.assertRaisesRegexp(ValueError, + "XML entity declarations are not supported"): + plistlib.readPlistFromString(XML_PLIST_WITH_ENTITY) + + def test_main(): test_support.run_unittest(TestPlistlib) --- /dev/null +++ b/Misc/NEWS.d/next/Security/2020-10-19-10-56-27.bpo-42051.EU_B7u.rst @@ -0,0 +1,3 @@ +The :mod:`plistlib` module no longer accepts entity declarations in XML +plist files to avoid XML vulnerabilities. This should not affect users as +entity declarations are not used in regular plist files.
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor