Skip to content

5.0.2.1 — CVE-2026-41066 security backport#1

Closed
martinPavesio wants to merge 11 commits into
python-2.7-maintfrom
security/cve-2026-41066
Closed

5.0.2.1 — CVE-2026-41066 security backport#1
martinPavesio wants to merge 11 commits into
python-2.7-maintfrom
security/cve-2026-41066

Conversation

@martinPavesio
Copy link
Copy Markdown

@martinPavesio martinPavesio commented May 28, 2026

Backport of CVE-2026-41066 (XXE via resolve_entities default) for Python 2.7. Tag: 5.0.2.1. Ticket: CS-2178.

@martinPavesio
ActiveState 5.0.2.1: security backport + Python 2.7 build fixes
7de6d40 
Backport of CVE-2026-41066 (GHSA-vfmq-68hx-4jfw) from lxml 6.1.0:
  - iterparse.__init__: resolve_entities default True -> 'internal'
  - ETCompatXMLParser.__init__: resolve_entities default True -> 'internal'
  Upstream commit: ab431ea (LP#2146291)

Also includes Python 2.7 / ActiveState platform build fixes:
  - setupinfo.py: use AS-built libxml2/libxslt; str.format for Py2 compat
  - versioninfo.py: use __file__ instead of sys.argv[0] for base dir
  - src/lxml/etree.c: pre-generated C included to avoid Cython 3 incompatibility
    with Python 2.7; includes const xmlChar** cast fix for libxml2 2.15.x
    (fixes -Werror=incompatible-pointer-types on Rocky 9 builder)

Version: 5.0.2.1
@martinPavesio
Revert .pxi sources to lxml-5.0.2 originals
cb14218 
The CVE-2026-41066 fix lives entirely in the pre-generated etree.c
(values[9]/values[10] default changed from Py_True to __pyx_n_s_internal).
Having the .pxi files also modified caused Cython 3 to detect source changes
and regenerate etree.c from scratch, discarding the fix and producing
Python 3-only C code that fails to compile against Python 2.7.

Rule: when a fix is applied at the C level in a pre-generated file,
the Cython source (.pxi/.pyx) must NOT be modified.
@martinPavesio
Add missing pre-generated C files (objectify, builder, _elementpath, …
d7dfb9f 
…sax)

setupinfo.py raises RuntimeError if any C file is absent when Cython is not
available. Only etree.c was committed initially; all four remaining files are
needed for a Cython-free build. Copied unmodified from lxml-5.0.2 PyPI tarball.
@martinPavesio
Add missing html/*.c pre-generated files (clean, diff)
beed15d 
lxml's setupinfo.py also requires src/lxml/html/clean.c and
src/lxml/html/diff.c to be present for a Cython-free build.
Copied unmodified from lxml-5.0.2 PyPI tarball.
@martinPavesio
Add gitignored header files required by objectify.c
6ff6be6 
objectify.c includes etree_api.h, etree.h, lxml.etree.h, lxml.etree_api.h
which are generated files gitignored by the upstream repo.
Copied unmodified from lxml-5.0.2 PyPI tarball.
@martinPavesio
Version string: 5.0.2+security.1 (tag stays 5.0.2.1)
a4e6ca4
@martinPavesio
Fix Windows zlib library name for static linking
f3b78b3 
Change 'zlib' to 'z' in libs.extend() on Windows to use the correct
library name when linking against the static zlib library.
@martinPavesio
Remove pre-generated C/H files and revert gitignore exceptions
d35a7d8 
Let Cython 3 compile from .pyx/.pxi sources at build time.
The pre-generated file approach was a wrong fix for the const xmlChar**
compiler error; the correct fix is in the Cython source (proxy.pxi).
@martinPavesio
Fix proxy.pxi: cast c_attribute.defaultValue to const_xmlChar** at ca…
4491bdf 
…ll site

xmlAttribute.defaultValue is xmlChar* (non-const) in libxml2 2.15.x while
_fixThreadDictPtr expects const_xmlChar**. Add explicit Cython cast at the
one non-const call site. Fixes -Werror=incompatible-pointer-types on Rocky 9
/ GCC 14 when Cython regenerates etree.c from this source.

Backport of CVE fix for C-level const mismatch discovered during CS-2178.
@martinPavesio
CVE-2026-41066: set resolve_entities='internal' default in iterparse
35e63cc 
iterparse.__init__ defaulted to resolve_entities=True, allowing XXE
injection via untrusted XML. Upstream fix: python-pillow/lxml@ab431ea0
(lxml 6.1.0, LP#2146291).

Cython will regenerate etree.c from this source at build time.
@martinPavesio
CVE-2026-41066: set resolve_entities='internal' default in ETCompatXM…
503c771 
…LParser

ETCompatXMLParser.__init__ defaulted to resolve_entities=True, allowing
XXE injection. Upstream fix: lxml 6.1.0 (LP#2146291).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@martinPavesio