From 6bd902e139bc1a9bae1324f5f0af48c0da6234bb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luk=C3=A1=C5=A1=20Zachar?= Date: Fri, 10 Jul 2026 15:01:23 +0200 Subject: [PATCH] Security fix for CVE-2026-15308 Resolves: RHEL-193776 --- 00490-cve-2026-15308.patch | 114 +++++++++++++++++++++++++++++++++++++ python3.12.spec | 17 +++++- 2 files changed, 130 insertions(+), 1 deletion(-) create mode 100644 00490-cve-2026-15308.patch diff --git a/00490-cve-2026-15308.patch b/00490-cve-2026-15308.patch new file mode 100644 index 0000000..5341c89 --- /dev/null +++ b/00490-cve-2026-15308.patch @@ -0,0 +1,114 @@ +From effae3f6f868409068cc0b7ab16fe8e4251352be Mon Sep 17 00:00:00 2001 +From: Serhiy Storchaka +Date: Sat, 4 Jul 2026 20:40:22 +0300 +Subject: [PATCH] gh-153030: Fix quadratic complexity in incremental parsing in + HTMLParser (GH-153031) + +When an unterminated construct (e.g. a tag or comment) spanned many +feed() calls, rescanning the growing buffer and concatenating new data +onto it were both quadratic. New data is now accumulated in a list and +only joined and parsed once enough has piled up. +(cherry picked from commit bcf98ddbc40ec9b3ee87da0124a5660b19b7e606) + +Co-authored-by: Serhiy Storchaka +Co-Authored-By: Claude Opus 4.8 +--- + Lib/html/parser.py | 32 +++++++++++++++++-- + Lib/test/test_htmlparser.py | 20 ++++++++++++ + ...-07-04-17-00-00.gh-issue-153030.RovkP6.rst | 3 ++ + 3 files changed, 53 insertions(+), 2 deletions(-) + create mode 100644 Misc/NEWS.d/next/Security/2026-07-04-17-00-00.gh-issue-153030.RovkP6.rst + +diff --git a/Lib/html/parser.py b/Lib/html/parser.py +index bfab3e64cd54027..c5d2340b712cd6c 100644 +--- a/Lib/html/parser.py ++++ b/Lib/html/parser.py +@@ -138,6 +138,9 @@ def reset(self): + self.cdata_elem = None + self._support_cdata = True + self._escapable = True ++ self._pending = [] ++ self._pending_len = 0 ++ self._parse_threshold = 1 + super().reset() + + def feed(self, data): +@@ -146,11 +149,36 @@ def feed(self, data): + Call this as often as you want, with as little or as much text + as you want (may include '\n'). + """ +- self.rawdata = self.rawdata + data +- self.goahead(0) ++ # Accumulate new data in a list and only join and parse it once ++ # enough has piled up. Rescanning an unparsed buffer (e.g. an ++ # unterminated tag) and concatenating onto it on every call would ++ # both be quadratic in the input size. ++ self._pending_len += len(data) ++ if self._pending_len < self._parse_threshold: ++ self._pending.append(data) ++ else: ++ if not self._pending: ++ self.rawdata += data ++ else: ++ self._pending.append(data) ++ self.rawdata += ''.join(self._pending) ++ self._pending.clear() ++ self._pending_len = 0 ++ n = len(self.rawdata) ++ self.goahead(0) ++ if len(self.rawdata) < n: ++ # Some data was parsed; resume on the next call. ++ self._parse_threshold = 1 ++ else: ++ # Nothing was parsed; wait until the buffer doubles. ++ self._parse_threshold = len(self.rawdata) + + def close(self): + """Handle any buffered data.""" ++ if self._pending: ++ self.rawdata += ''.join(self._pending) ++ self._pending.clear() ++ self._pending_len = 0 + self.goahead(1) + + __starttag_text = None +diff --git a/Lib/test/test_htmlparser.py b/Lib/test/test_htmlparser.py +index 303c0baa87b026b..e6d92a7ec5166b7 100644 +--- a/Lib/test/test_htmlparser.py ++++ b/Lib/test/test_htmlparser.py +@@ -930,6 +930,26 @@ def check(source): + check("") # comment ++ check("") # processing instruction ++ check("") # doctype ++ check("") # CDATA section ++ check("") # start tag ++ check("") # RAWTEXT element ++ + + class AttributesTestCase(TestCaseBase): + +diff --git a/Misc/NEWS.d/next/Security/2026-07-04-17-00-00.gh-issue-153030.RovkP6.rst b/Misc/NEWS.d/next/Security/2026-07-04-17-00-00.gh-issue-153030.RovkP6.rst +new file mode 100644 +index 000000000000000..d1d60593f4ba7d2 +--- /dev/null ++++ b/Misc/NEWS.d/next/Security/2026-07-04-17-00-00.gh-issue-153030.RovkP6.rst +@@ -0,0 +1,3 @@ ++Fixed quadratic complexity in incremental parsing of long unterminated ++constructs (such as tags or comments) in :class:`html.parser.HTMLParser`, ++which could be exploited for a denial of service. diff --git a/python3.12.spec b/python3.12.spec index 19e663f..371efcd 100644 --- a/python3.12.spec +++ b/python3.12.spec @@ -20,7 +20,7 @@ URL: https://www.python.org/ #global prerel ... %global upstream_version %{general_version}%{?prerel} Version: %{general_version}%{?prerel:~%{prerel}} -Release: 2%{?dist} +Release: 3%{?dist} License: Python-2.0.1 @@ -450,6 +450,17 @@ Patch484: 00484-cve-2026-3644.patch # Stack overflow parsing XML with deeply nested DTD content models Patch485: 00485-cve-2026-4224.patch +# 00490 # +# CVE-2026-15308 +# +# gh-153030: Fix quadratic complexity in incremental parsing in HTMLParser (GH-153031) (GH-153038) +# +# When an unterminated construct (e.g. a tag or comment) spanned many +# feed() calls, rescanning the growing buffer and concatenating new data +# onto it were both quadratic. New data is now accumulated in a list and +# only joined and parsed once enough has piled up. +Patch490: 00490-cve-2026-15308.patch + # (New patches go here ^^^) # # When adding new patches to "python" and "python3" in Fedora, EL, etc., @@ -1940,6 +1951,10 @@ fi # ====================================================== %changelog +* Fri Jul 10 2026 Lukáš Zachar - 3.12.13-3 +- Security fix for CVE-2026-15308 +Resolves: RHEL-193776 + * Thu Apr 16 2026 Charalampos Stratakis - 3.12.13-2 - Security fixes for CVE-2026-1502, CVE-2026-4786, CVE-2026-6100, CVE-2026-2297, CVE-2026-3644, CVE-2026-4224 Resolves: RHEL-168130, RHEL-167892