python-lxml is vulnerable to CVE-2021-28957

  • Done
  • quality assurance status badge
Details
4 participants
  • Leo Famulari
  • Léo Le Bouter
  • Maxim Cournoyer
  • Mark H Weaver
Owner
unassigned
Submitted by
Léo Le Bouter
Severity
normal
L
L
Léo Le Bouter wrote on 22 Mar 2021 15:09
(address . bug-guix@gnu.org)
8e3d68f9e674d1556bf2ba6baff0e72c069a2673.camel@zaclys.net
CVE-2021-28957 21.03.21 06:15
lxml 4.6.2 places the HTML action attribute into defs.link_attrs (in
html/defs.py) for later use in input sanitization, but does not do the
same for the HTML5 formaction attribute.

Upstream fixed it in 4.6.3 (
), so we should probably upgrade to that.

Has lots of dependents so I suppose it needs grafting? Is that useful
and does it work for Python packages?

Léo
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBYpRQACgkQRaix6GvN
EKYDHw//Z5VOjkXvjZPSFtd5PE9T5GUroXUHlYapPfD5kkQuT+HlxW7egi6VpWVp
TTC1z0iQi+sEoJoLcZsYVUcPTjH1kRfbip2QL+32CAf1uEcZ+1jQKMqvIgnvETjO
e+8ZwvFrs08TC/RzGrRdZ+MbVL1IBTH0S6bH7CNqEj9CWkYHDXcaoFi/4SxeHgBq
/FB5tA/dFb3xxOa1yWIeW58zsMFI/h7PDArpDFQln+EKtf590beW25gosmLduuuO
RO1LioWyYM/5DlDwSLtfCRQr7va4AMQe+ChLpP4F1aTRgDLNxZaZBlp/XWPZTjVP
naxMy7A2iNP/XQpcc8tgteGl9QD7zMPC38iiYLh+rz/MKHaeyVxaembkPpsaJ873
HA3RPRP7flEvq4AZwqyT1Ch6yb0yU7ew85Oq/HdXzQmj5fMmZTHM5lh6B+MTIo5I
Hme1/NTaBMTGPsLFPyezNxwKm38Pwap5Se77PkX5CWO1xaMS7Tn8SzoKyPTvJU68
0bwaMbbnyi8ESnLrcfdOuIfLIdmzwyv9gmz9oXgj+n1NttRURBAjcWsbxbJGtDE7
BXrC2DGphwW4jhot6JAF7RnJE4FueWqwQgoVIESoRZNTQ2Jqs9lNIhryBanGru6+
OhoD2U07ZfemWDy5Zz6wcABAcFbQaU+N6lQEPJ73p5aHzBWxwtU=
=zH1O
-----END PGP SIGNATURE-----


L
L
Léo Le Bouter wrote on 22 Mar 2021 15:10
(address . control@debbugs.gnu.org)
0fece03a442059eec9966ab9e1de32d02df89b81.camel@zaclys.net
tags 47319 + security
quit
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBYpU0ACgkQRaix6GvN
EKZd6RAAreEpnf5HJrM0TtEn/7d+rWzBSk8zad80240AZoVKMtNrbK7+sF/+EM2V
rF1KpFw/HQLTrb71yWZ3jlFAj1cTEv/mjph9vWrFCgLsmDMRLr8nL9LgALHgZ9q1
plBMj6bP6kvvZAenMq9OExLjxQIDxeLHIvGCEg9qBHC/yDKs3nODINK2KL/v2GwE
uAHr7srPsJ/5UEF9AT4klXdqv++D+i0tqc62lGPh4uXoctoUkYko7weFeu6C9/qG
1viHvF4TUjKpfDGZ9LUCSCF7rDNur7PC1Fz5XPyrul9JkQCiGq/+37tInacmylmT
tmsDhLM4tRIlMs0yXQWHvLTQY/mb89GhfdoPeCHEnS+20vlE0aBT8dnIxOgy9NLq
DvAXcX2hZ20O8XkyUzt9q7C3CQbarCyqD0ZR2igvIkNhVkYrlkQG5kd2ag99wvJ0
8Z/E/kqgSGyoMA+jL+MBeybn+FgyVpkWThPzM2XuvbYNJzcHUhwhNEFL7ciqXCGj
4nNq+fifnMXhe5ZWKROqZi43GZekHS3gnnxiTPo0NHghqjf+olyTmp4FxxqdKWg3
e2nn88tmRBT6LK38nOHlEQSr6e/49cnV13xsY0dVo88DUYuuybBG6L9GD7bp2HjA
UyZ2p6+G/FzXVl60mG7U5/2WXjM2GVb6TuIVqegg/767hvF0/DU=
=2wr6
-----END PGP SIGNATURE-----


L
L
Léo Le Bouter wrote on 23 Mar 2021 16:29
(address . 47319@debbugs.gnu.org)
cd5fd0c50f8229e7c8c729d810c373256590739b.camel@zaclys.net
I pushed a9d540cfa87ef3a5de3296188f650fb0d037efbd on core-updates, how
to fix it on master considering the amount of dependents remains to be
agreed on.
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBaCWYACgkQRaix6GvN
EKYZ5RAAxA7rpCn3jVM7cNV46DiRIScCvd7CP04IdEI0nzMw/10trQwDJ2Vd/kmf
dXA/Erao7Ut+ZF8BBiy+oqBsm0Ja5OVDxxaKYR5nXJWXj+asFsDTBozSzGPLzreP
d0Doe7r94v2VlCTxfEBNq+jRxeh+4Y337FFdkf5G3SP/ze29vkUst1nJjN7V6C0w
s4edASdh7vpFAiOGYXZR0UJZ9ELRjqbpAr8gPKuSi6USLbnzXGOhQUikeCUjJSOy
Aw3DAWG6wvkmcwO5ZTzDBpdI55bb8Sfx2dYgL1KmMBuloBr2wgidpGpgWW4+u7ZU
ko4NxGJw4Jt8D3mDU4jIdemrijGqEqSIBS+taXs7quJC8+tMTILkmMFdnxsbC5WQ
z4BZqRV8r3D1ShS6LNvM3kYKNAJfXiNBLWb3GXKbLtX6belQgnK84tXQadSbgBIi
tJuKx9hzXmtDtO6Xm9xZRdlDZXGwxjHporYGL/iphPDiz2hLRefDP4pmdtCnFT9F
DpjvBpn8kJTzox2aksW2nGzR4wBi2NcGnQofw4pmTlKo08q+mMhT/ajOEHThIdMV
QTAXiETvRculYuZT697MyrBX7sw+LyHBRFVn0D9pLWuupBmo47nrSixfKv2YEeya
a5vY1GOA163rvv8uOcMuELPfPYbNMz4v1JoaxSf5xsOWlCBdXuc=
=Cs4c
-----END PGP SIGNATURE-----


L
L
Leo Famulari wrote on 23 Mar 2021 18:55
(name . Léo Le Bouter via Bug reports for GNU Guix)(address . bug-guix@gnu.org)(address . 47319@debbugs.gnu.org)
YFori3lHDKLjAEyE@jasmine.lan
On Mon, Mar 22, 2021 at 03:09:24PM +0100, Léo Le Bouter via Bug reports for GNU Guix wrote:
Toggle quote (5 lines)
> CVE-2021-28957 21.03.21 06:15
> lxml 4.6.2 places the HTML action attribute into defs.link_attrs (in
> html/defs.py) for later use in input sanitization, but does not do the
> same for the HTML5 formaction attribute.

Thanks for the notification.

I checked on some other distros that, like us, try to avoid major
updates of packages with a lot of dependents:


So, both Debian and Red Hat are still shipping the vulnerable packages.
At least, we are in good company. We would monitor the Debian page and
copy their patch, if they decide to fix the bug.

Toggle quote (7 lines)
> Upstream fixed it in 4.6.3 (
> https://github.com/lxml/lxml/commit/2d01a1ba8984e0483ce6619b972832377f208a0d
> ), so we should probably upgrade to that.
>
> Has lots of dependents so I suppose it needs grafting? Is that useful
> and does it work for Python packages?

Grafting Python packages is not something we've done in the past, as far
as I can tell from reading the Git log, although I don't recall know if
it works or not.
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAmBaK4sACgkQJkb6MLrK
fwhdMg/9GgzP+0ZAyXvDVEPTqPJthZBfzVvldEWSswoPwb2paSpcfTEKk7WeQxCe
uZdQ073oav+wD8pFXH/vxPKC0sCsIpVTnICz7GfK7j/rMBiJ3KnOzAi9aZNkZlAo
73Rqk4814k+NC4uUBnvI+7661v9mbcDPVeW6vlxRnRp9lMkRQo6ZWsjEVj9BwMyW
NpxsVW73o6At3HkIRHg6XY9Whyfh7zyn2AcoZoV2lUs8xXd6a0W5xVkRfrF6wDXX
aYH4A10995QG1CqJHouiNxmT4uS6NymLMcPj/FSjiib9V61JRyoyf/q6bzFepZ1O
Z3S1ukJdZdiJo3OYpGufm+xjSbabAThFAk+3VufwhuABEfQuhkRFkgqHycenHxcs
Zzf3M1zZaUVxna//Zm6ThFFzE3qXbanWepIUCFpor3ylooEc8h0mNLP2Wy19JDNG
2pBMl+JqBDf8whksFaJMHp3wSG5F1YG3/+mJdjURgTpuimcF6Uz/lKW1ipoagFcF
c+KHjQxLna3VJAglZvaKp8CrTyjfENpLuzR/ssnv7iSuVwb2Bqdd4ds3PgeX7EgU
VjDwpiVF2DvnwoaiiWkXjRI/0pbky4ov2Dn7rCzBwZz254jkA4MTS4/ireJWmpNU
8XbTCjVRYDito5SCULWlzXjIHR2b8XdOsCzMYWrY2gcNEX5nVyQ=
=S52E
-----END PGP SIGNATURE-----


M
M
Mark H Weaver wrote on 6 Apr 2021 01:54
87wntg5lsm.fsf@netris.org
Leo Famulari <leo@famulari.name> writes:

Toggle quote (8 lines)
> On Mon, Mar 22, 2021 at 03:09:24PM +0100, Léo Le Bouter via Bug reports for GNU Guix wrote:
>> Has lots of dependents so I suppose it needs grafting? Is that useful
>> and does it work for Python packages?
>
> Grafting Python packages is not something we've done in the past, as far
> as I can tell from reading the Git log, although I don't recall know if
> it works or not.

I see no reason why grafting a python package wouldn't work, although
admittedly my knowledge of Python is weak.

Mark
M
M
Maxim Cournoyer wrote on 23 Mar 2022 03:32
(name . Léo Le Bouter)(address . lle-bout@zaclys.net)(address . 47319-done@debbugs.gnu.org)
874k3p1jqj.fsf@gmail.com
Hi,

Léo Le Bouter <lle-bout@zaclys.net> writes:

Toggle quote (9 lines)
> CVE-2021-28957 21.03.21 06:15
> lxml 4.6.2 places the HTML action attribute into defs.link_attrs (in
> html/defs.py) for later use in input sanitization, but does not do the
> same for the HTML5 formaction attribute.
>
> Upstream fixed it in 4.6.3 (
> https://github.com/lxml/lxml/commit/2d01a1ba8984e0483ce6619b972832377f208a0d
> ), so we should probably upgrade to that.

This is the current version in Guix.

Closing; thanks!

Maxim
Closed
?