Security fix for CVE-2026-15308

Resolves: RHEL-193772
This commit is contained in:
Lumir Balhar 2026-07-10 11:36:35 +02:00
parent e77eebc966
commit 7c4eff367d
2 changed files with 133 additions and 1 deletions

116
00490-cve-2026-15308.patch Normal file
View File

@ -0,0 +1,116 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lum=C3=ADr=20Balhar?= <lbalhar@redhat.com>
Date: Fri, 10 Jul 2026 08:12:50 +0000
Subject: 00490: CVE-2026-15308
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
gh-153030: Fix quadratic complexity in incremental parsing in HTMLParser (GH-153031) (GH-153038)
When an unterminated construct (e.g. a tag or comment) spanned many
feed() calls, rescanning the growing buffer and concatenating new data
onto it were both quadratic. New data is now accumulated in a list and
only joined and parsed once enough has piled up.
(cherry picked from commit bcf98ddbc40ec9b3ee87da0124a5660b19b7e606)
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
Co-authored-by: Lumír Balhar <lbalhar@redhat.com>
---
Lib/html/parser.py | 32 ++++++++++++++++++++++++++++++--
Lib/test/test_htmlparser.py | 21 +++++++++++++++++++++
2 files changed, 51 insertions(+), 2 deletions(-)
diff --git a/Lib/html/parser.py b/Lib/html/parser.py
index ef869bc72d..37bbadcc05 100644
--- a/Lib/html/parser.py
+++ b/Lib/html/parser.py
@@ -99,6 +99,9 @@ class HTMLParser(_markupbase.ParserBase):
self.lasttag = '???'
self.interesting = interesting_normal
self.cdata_elem = None
+ self._pending = []
+ self._pending_len = 0
+ self._parse_threshold = 1
_markupbase.ParserBase.reset(self)
def feed(self, data):
@@ -107,11 +110,36 @@ class HTMLParser(_markupbase.ParserBase):
Call this as often as you want, with as little or as much text
as you want (may include '\n').
"""
- self.rawdata = self.rawdata + data
- self.goahead(0)
+ # Accumulate new data in a list and only join and parse it once
+ # enough has piled up. Rescanning an unparsed buffer (e.g. an
+ # unterminated tag) and concatenating onto it on every call would
+ # both be quadratic in the input size.
+ self._pending_len += len(data)
+ if self._pending_len < self._parse_threshold:
+ self._pending.append(data)
+ else:
+ if not self._pending:
+ self.rawdata += data
+ else:
+ self._pending.append(data)
+ self.rawdata += ''.join(self._pending)
+ self._pending.clear()
+ self._pending_len = 0
+ n = len(self.rawdata)
+ self.goahead(0)
+ if len(self.rawdata) < n:
+ # Some data was parsed; resume on the next call.
+ self._parse_threshold = 1
+ else:
+ # Nothing was parsed; wait until the buffer doubles.
+ self._parse_threshold = len(self.rawdata)
def close(self):
"""Handle any buffered data."""
+ if self._pending:
+ self.rawdata += ''.join(self._pending)
+ self._pending.clear()
+ self._pending_len = 0
self.goahead(1)
__starttag_text = None
diff --git a/Lib/test/test_htmlparser.py b/Lib/test/test_htmlparser.py
index 326e34290f..a2916b9511 100644
--- a/Lib/test/test_htmlparser.py
+++ b/Lib/test/test_htmlparser.py
@@ -3,6 +3,7 @@
import html.parser
import pprint
import unittest
+from test import support
class EventCollector(html.parser.HTMLParser):
@@ -641,6 +642,26 @@ text
('endtag', 'a'), ('data', ' bar & baz')]
)
+ @support.requires_resource('cpu')
+ def test_incremental_no_quadratic_complexity(self):
+ # An unterminated construct fed in many small chunks used to take
+ # quadratic time, both to rescan and to concatenate the buffer.
+ # Now it takes a fraction of a second.
+ def check(prefix, chunk, suffix):
+ parser = html.parser.HTMLParser()
+ parser.feed(prefix)
+ for _ in range(200_000):
+ parser.feed(chunk)
+ parser.feed(suffix)
+ parser.close()
+ chunk = "a" * 64
+ check("<!--", chunk, "-->") # comment
+ check("<?", chunk, ">") # processing instruction
+ check("<!doctype ", chunk, ">") # doctype
+ check("<![CDATA[", chunk, "]]>") # CDATA section
+ check("<a href='", chunk, "'>") # start tag
+ check("<script>", chunk, "</script>") # RAWTEXT element
+
class AttributesTestCase(TestCaseBase):

View File

@ -14,7 +14,7 @@ URL: https://www.python.org/
# WARNING When rebasing to a new Python version,
# remember to update the python3-docs package as well
Version: %{pybasever}.8
Release: 76%{?dist}
Release: 77%{?dist}
License: Python
@ -1017,6 +1017,17 @@ Patch480: 00480-cve-2026-4786.patch
# Backported from Python 3.10
Patch482: 00482-cve-2026-6100.patch
# 00490 #
# CVE-2026-15308
#
# gh-153030: Fix quadratic complexity in incremental parsing in HTMLParser (GH-153031) (GH-153038)
#
# When an unterminated construct (e.g. a tag or comment) spanned many
# feed() calls, rescanning the growing buffer and concatenating new data
# onto it were both quadratic. New data is now accumulated in a list and
# only joined and parsed once enough has piled up.
Patch490: 00490-cve-2026-15308.patch
# (New patches go here ^^^)
#
# When adding new patches to "python" and "python3" in Fedora, EL, etc.,
@ -1397,6 +1408,7 @@ GIT_DIR=$PWD git apply %{PATCH351}
%patch478 -p1
%patch480 -p1
%patch482 -p1
%patch490 -p1
# Remove files that should be generated by the build
# (This is after patching, so that we can use patches directly from upstream)
@ -2328,6 +2340,10 @@ fi
# ======================================================
%changelog
* Fri Jul 10 2026 Lumír Balhar <lbalhar@redhat.com> - 3.6.8-77
- Security fix for CVE-2026-15308
Resolves: RHEL-193772
* Fri Apr 17 2026 Charalampos Stratakis <cstratak@redhat.com> - 3.6.8-76
- Security fixes for CVE-2026-4786, CVE-2026-6100
Resolves: RHEL-167890, RHEL-168128