Python: security vulnerabilities in bundled expat (CVE-2016-0718 and CVE-2016-4472)

Created on 20 Feb 2017  路  3Comments  路  Source: docker-library/python

python includes expat-2.1.1 sources, which has some vulnerabilities. I have reported upstream: http://bugs.python.org/issue29591

Some options to solve it:

  • wait for upstream python to ship a fixed version
  • patch the python source before building it (eg create patch for expat)
  • build it with system expat

I think the best option would be to use system expat. For example:
````diff
diff --git a/3.5/alpine/Dockerfile b/3.5/alpine/Dockerfile
index a867fb8..a122e96 100644
--- a/3.5/alpine/Dockerfile
+++ b/3.5/alpine/Dockerfile
@@ -50,6 +50,7 @@ RUN set -ex
ncurses-dev
openssl
openssl-dev

  • expat-dev
    pax-utils
    readline-dev
    sqlite-dev
    @@ -65,6 +66,7 @@ RUN set -ex
    && ./configure
    --enable-loadable-sqlite-extensions
    --enable-shared
  • --with-system-expat
    && make -j$(getconf _NPROCESSORS_ONLN)
    && make install

    ````

Most helpful comment

Looks like they finally fixed it upstream. http://bugs.python.org/issue29591
Upstream commit for 3.5 branch: https://github.com/python/cpython/commit/8c797ed8a0fea5e3162b9415f13e270d4d5d9549

All 3 comments

I'd rather stick to upstream sources since we could run into a scenario where the system expat is too new (or old), but it should be ok to build with system expat until they push a fix.

Looks like they finally fixed it upstream. http://bugs.python.org/issue29591
Upstream commit for 3.5 branch: https://github.com/python/cpython/commit/8c797ed8a0fea5e3162b9415f13e270d4d5d9549

Looks like this was in the 3.5.4 release and thus fixed.

Was this page helpful?
0 / 5 - 0 ratings