Skip to content

[3.12] gh-90949: add Expat API to prevent XML deadly allocations (CVE-2025-59375) (GH-139234)#139527

Merged
Yhg1s merged 9 commits intopython:3.12from
hartwork:backport-f04bea4-3.12
Dec 17, 2025
Merged

[3.12] gh-90949: add Expat API to prevent XML deadly allocations (CVE-2025-59375) (GH-139234)#139527
Yhg1s merged 9 commits intopython:3.12from
hartwork:backport-f04bea4-3.12

Conversation

@hartwork
Copy link
Contributor

@hartwork hartwork commented Oct 2, 2025
edited by github-actions bot
Loading

Expose the XML Expat 2.7.2 mitigation APIs to disallow use of disproportional amounts of dynamic memory from within an Expat parser (see CVE-2025-59375 for instance).

The exposed APIs are available on Expat parsers, that is, parsers created by xml.parsers.expat.ParserCreate(), as:

  • parser.SetAllocTrackerActivationThreshold(threshold), and
  • parser.SetAllocTrackerMaximumAmplification(max_factor).

(cherry picked from commit f04bea4)

CC @picnixz

📚 Documentation preview 📚: https://cpython-previews--139527.org.readthedocs.build/

picnixz and others added 4 commits October 2, 2025 23:47
@picnixz @hartwork
[3.12] pythongh-90949: add Expat API to prevent XML deadly allocations (
aeefb63 
CVE-2025-59375) (pythonGH-139234)

Expose the XML Expat 2.7.2 mitigation APIs to disallow use of
disproportional amounts of dynamic memory from within an Expat
parser (see CVE-2025-59375 for instance).

The exposed APIs are available on Expat parsers, that is,
parsers created by `xml.parsers.expat.ParserCreate()`, as:

- `parser.SetAllocTrackerActivationThreshold(threshold)`, and
- `parser.SetAllocTrackerMaximumAmplification(max_factor)`.
(cherry picked from commit f04bea4)

Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com>
@picnixz @hartwork
pythongh-90949: amend pythonGH-139234 in prevision of future mitigati…
a5d026a 
…on API (python#139366)

Fix some typos left in f04bea4,
and simplify some internal functions to ease maintenance of future
mitigation APIs.

(cherry picked from commit 68a1778)
@hartwork
Make use of macro _Py_ID possible to pyexpat
2ab3e1d
@hartwork
Add a temporary workaround for issue 139400
ce64f57
@bedevere-app bedevere-app bot mentioned this pull request Oct 2, 2025
Open
@bedevere-app bedevere-app bot mentioned this pull request Oct 2, 2025
Merged
@picnixz
Copy link
Member

picnixz commented Oct 7, 2025

To have a good synchronization, we'll also delay 3.10 to 3.13 backports for their next release cycle (see #139359 (comment)).

@picnixz picnixz self-assigned this Oct 7, 2025
@ambv
Copy link
Contributor

ambv commented Oct 8, 2025

I set DO-NOT-MERGE to avoid confusion. Unset that when you think we should be releasing this.

picnixz
picnixz approved these changes Nov 8, 2025
View reviewed changes
Copy link
Member

@picnixz picnixz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The 22 additional lines are in the clinic file so all good.

@picnixz picnixz requested review from Yhg1s and removed request for Yhg1s November 8, 2025 13:47
@hartwork
Copy link
Contributor Author

hartwork commented Nov 22, 2025

@Yhg1s do you have a minute for this? 🙏

@hartwork
Copy link
Contributor Author

hartwork commented Dec 17, 2025

@Yhg1s do you have a minute? 🙏

@Yhg1s Yhg1s merged commit 0e4cd89 into python:3.12 Dec 17, 2025
30 checks passed
@hartwork
Copy link
Contributor Author

hartwork commented Dec 17, 2025

Thanks! 🙏

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@picnixz picnixz picnixz approved these changes

Assignees

@Yhg1s Yhg1s

@picnixz picnixz

Labels

topic-XML

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@hartwork @picnixz @ambv @Yhg1s