Fix CVE-2018-14647:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14647
https://bugs.python.org/issue34623

Taken from upstream:
https://github.com/python/cpython/commit/18b20bad75b4ff0486940fba4ec680e96e70f3a2

diff --git a/Include/pyexpat.h b/Include/pyexpat.h
index 5340ef5fa3..3fc5fa54da 100644
--- a/Include/pyexpat.h
+++ b/Include/pyexpat.h
@@ -3,7 +3,7 @@
 
 /* note: you must import expat.h before importing this module! */
 
-#define PyExpat_CAPI_MAGIC  "pyexpat.expat_CAPI 1.0"
+#define PyExpat_CAPI_MAGIC  "pyexpat.expat_CAPI 1.1"
 #define PyExpat_CAPSULE_NAME "pyexpat.expat_CAPI"
 
 struct PyExpat_CAPI 
@@ -43,6 +43,8 @@ struct PyExpat_CAPI
         XML_Parser parser, XML_UnknownEncodingHandler handler,
         void *encodingHandlerData);
     void (*SetUserData)(XML_Parser parser, void *userData);
+    /* might be none for expat < 2.1.0 */
+    int (*SetHashSalt)(XML_Parser parser, unsigned long hash_salt);
     /* always add new stuff to the end! */
 };
 
diff --git a/Modules/_elementtree.c b/Modules/_elementtree.c
index f7f992dd3a..b38e0ab329 100644
--- a/Modules/_elementtree.c
+++ b/Modules/_elementtree.c
@@ -2574,6 +2574,11 @@ xmlparser(PyObject* self_, PyObject* args, PyObject* kw)
         PyErr_NoMemory();
         return NULL;
     }
+    /* expat < 2.1.0 has no XML_SetHashSalt() */
+    if (EXPAT(SetHashSalt) != NULL) {
+        EXPAT(SetHashSalt)(self->parser,
+                           (unsigned long)_Py_HashSecret.prefix);
+    }
 
     ALLOC(sizeof(XMLParserObject), "create expatparser");
 
diff --git a/Modules/pyexpat.c b/Modules/pyexpat.c
index 2b4d31293c..1f8c0d70a5 100644
--- a/Modules/pyexpat.c
+++ b/Modules/pyexpat.c
@@ -2042,6 +2042,11 @@ MODULE_INITFUNC(void)
     capi.SetProcessingInstructionHandler = XML_SetProcessingInstructionHandler;
     capi.SetUnknownEncodingHandler = XML_SetUnknownEncodingHandler;
     capi.SetUserData = XML_SetUserData;
+#if XML_COMBINED_VERSION >= 20100
+    capi.SetHashSalt = XML_SetHashSalt;
+#else
+    capi.SetHashSalt = NULL;
+#endif
 
     /* export using capsule */
     capi_object = PyCapsule_New(&capi, PyExpat_CAPSULE_NAME, NULL);
b3a390bea8bdde8c46e8eb22f07cec3dd026fe7'>libutil</a></div><div class='content'><table class='list nowrap'><tr class='nohover'><th class='left'>Age</th><th class='left'>Commit message (<a href='/guix/log/nix/libutil?id=fb3a390bea8bdde8c46e8eb22f07cec3dd026fe7&amp;showmsg=1'>Expand</a>)</th><th class='left'>Author</th></tr>
<tr><td><span title='2024-05-13 16:31:34 +0200'>2024-05-13</span></td><td><a href='/guix/commit/nix/libutil?id=7757fdd491862fa5c33f1f894503346b89898a01'>daemon: Loop over ‘copy_file_range’ upon short writes.</a><span class='msg-avail'>...<span class='msg-tooltip'>Fixes &lt;https://issues.guix.gnu.org/70877&gt;.

* nix/libutil/util.cc (copyFile): Loop over ‘copy_file_range’ instead of
throwing upon short write.

Reported-by: Ricardo Wurmus &lt;rekado@elephly.net&gt;
Change-Id: Id7b8a65ea59006c2d91bc23732309a68665b9ca0
</span></span></td><td>Ludovic Courtès</td></tr>
<tr><td><span title='2024-03-12 14:07:28 +0100'>2024-03-12</span></td><td><a href='/guix/commit/nix/libutil?id=ff1251de0bc327ec478fc66a562430fbf35aef42'>daemon: Address shortcoming in previous security fix for CVE-2024-27297.</a><span class='msg-avail'>...<span class='msg-tooltip'>This is a followup to 8f4ffb3fae133bb21d7991e97c2f19a7108b1143.

Commit 8f4ffb3fae133bb21d7991e97c2f19a7108b1143 fell short in two
ways: (1) it didn’t have any effet for fixed-output derivations
performed in a chroot, which is the case for all of them except those
using “builtin:download” and “builtin:git-download”, and (2) it did not
preserve ownership when copying, leading to “suspicious ownership or
permission […] rejecting this build output” errors.

* nix/libstore/build.cc (DerivationGoal::buildDone): Account for
‘chrootRootDir’ when copying ‘drv.outputs’.
* nix/libutil/util.cc (copyFileRecursively): Add ‘fchown’ and ‘fchownat’
calls to preserve file ownership; this is necessary for chrooted
fixed-output derivation builds.
* nix/libutil/util.hh: Update comment.

Change-Id: Ib59f040e98fed59d1af81d724b874b592cbef156
</span></span></td><td>Ludovic Courtès</td></tr>
<tr><td><span title='2024-03-11 22:12:34 +0100'>2024-03-11</span></td><td><a href='/guix/commit/nix/libutil?id=8f4ffb3fae133bb21d7991e97c2f19a7108b1143'>daemon: Protect against FD escape when building fixed-output derivations (CVE...</a><span class='msg-avail'>...<span class='msg-tooltip'>This fixes a security issue (CVE-2024-27297) whereby a fixed-output
derivation build process could open a writable file descriptor to its
output, send it to some outside process for instance over an abstract
AF_UNIX socket, which would then allow said process to modify the file
in the store after it has been marked as “valid”.

Vulnerability discovered by puck &lt;https://github.com/puckipedia&gt;.

Nix security advisory:
https://github.com/NixOS/nix/security/advisories/GHSA-2ffj-w4mj-pg37

Nix fix:
https://github.com/NixOS/nix/commit/244f3eee0bbc7f11e9b383a15ed7368e2c4becc9

* nix/libutil/util.cc (readDirectory): Add variants that take a DIR* and
a file descriptor.  Rewrite the ‘Path’ variant accordingly.
(copyFile, copyFileRecursively): New functions.
* nix/libutil/util.hh (copyFileRecursively): New declaration.
* nix/libstore/build.cc (DerivationGoal::buildDone): When ‘fixedOutput’
is true, call ‘copyFileRecursively’ followed by ‘rename’ on each output.

Change-Id: I7952d41093eed26e123e38c14a4c1424be1ce1c4

Reported-by: Picnoir &lt;picnoir@alternativebit.fr&gt;, Théophane Hufschmitt &lt;theophane.hufschmitt@tweag.io&gt;
Change-Id: Idb5f2757f35af86b032a9851cecb19b70227bd88
</span></span></td><td>Ludovic Courtès</td></tr>