python-lxml is vulnerable to CVE-2021-28957

OpenSubmitted by Léo Le Bouter.
Details
3 participants
  • Leo Famulari
  • Léo Le Bouter
  • Mark H Weaver
Owner
unassigned
Severity
normal
L
L
Léo Le Bouter wrote on 22 Mar 15:09 +0100
(address . bug-guix@gnu.org)
8e3d68f9e674d1556bf2ba6baff0e72c069a2673.camel@zaclys.net
CVE-2021-28957 21.03.21 06:15lxml 4.6.2 places the HTML action attribute into defs.link_attrs (inhtml/defs.py) for later use in input sanitization, but does not do thesame for the HTML5 formaction attribute.
Upstream fixed it in 4.6.3 (https://github.com/lxml/lxml/commit/2d01a1ba8984e0483ce6619b972832377f208a0d), so we should probably upgrade to that.
Has lots of dependents so I suppose it needs grafting? Is that usefuland does it work for Python packages?
Léo
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBYpRQACgkQRaix6GvNEKYDHw//Z5VOjkXvjZPSFtd5PE9T5GUroXUHlYapPfD5kkQuT+HlxW7egi6VpWVpTTC1z0iQi+sEoJoLcZsYVUcPTjH1kRfbip2QL+32CAf1uEcZ+1jQKMqvIgnvETjOe+8ZwvFrs08TC/RzGrRdZ+MbVL1IBTH0S6bH7CNqEj9CWkYHDXcaoFi/4SxeHgBq/FB5tA/dFb3xxOa1yWIeW58zsMFI/h7PDArpDFQln+EKtf590beW25gosmLduuuORO1LioWyYM/5DlDwSLtfCRQr7va4AMQe+ChLpP4F1aTRgDLNxZaZBlp/XWPZTjVPnaxMy7A2iNP/XQpcc8tgteGl9QD7zMPC38iiYLh+rz/MKHaeyVxaembkPpsaJ873HA3RPRP7flEvq4AZwqyT1Ch6yb0yU7ew85Oq/HdXzQmj5fMmZTHM5lh6B+MTIo5IHme1/NTaBMTGPsLFPyezNxwKm38Pwap5Se77PkX5CWO1xaMS7Tn8SzoKyPTvJU680bwaMbbnyi8ESnLrcfdOuIfLIdmzwyv9gmz9oXgj+n1NttRURBAjcWsbxbJGtDE7BXrC2DGphwW4jhot6JAF7RnJE4FueWqwQgoVIESoRZNTQ2Jqs9lNIhryBanGru6+OhoD2U07ZfemWDy5Zz6wcABAcFbQaU+N6lQEPJ73p5aHzBWxwtU==zH1O-----END PGP SIGNATURE-----

L
L
Léo Le Bouter wrote on 22 Mar 15:10 +0100
(address . control@debbugs.gnu.org)
0fece03a442059eec9966ab9e1de32d02df89b81.camel@zaclys.net
tags 47319 + securityquit
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBYpU0ACgkQRaix6GvNEKZd6RAAreEpnf5HJrM0TtEn/7d+rWzBSk8zad80240AZoVKMtNrbK7+sF/+EM2VrF1KpFw/HQLTrb71yWZ3jlFAj1cTEv/mjph9vWrFCgLsmDMRLr8nL9LgALHgZ9q1plBMj6bP6kvvZAenMq9OExLjxQIDxeLHIvGCEg9qBHC/yDKs3nODINK2KL/v2GwEuAHr7srPsJ/5UEF9AT4klXdqv++D+i0tqc62lGPh4uXoctoUkYko7weFeu6C9/qG1viHvF4TUjKpfDGZ9LUCSCF7rDNur7PC1Fz5XPyrul9JkQCiGq/+37tInacmylmTtmsDhLM4tRIlMs0yXQWHvLTQY/mb89GhfdoPeCHEnS+20vlE0aBT8dnIxOgy9NLqDvAXcX2hZ20O8XkyUzt9q7C3CQbarCyqD0ZR2igvIkNhVkYrlkQG5kd2ag99wvJ08Z/E/kqgSGyoMA+jL+MBeybn+FgyVpkWThPzM2XuvbYNJzcHUhwhNEFL7ciqXCGj4nNq+fifnMXhe5ZWKROqZi43GZekHS3gnnxiTPo0NHghqjf+olyTmp4FxxqdKWg3e2nn88tmRBT6LK38nOHlEQSr6e/49cnV13xsY0dVo88DUYuuybBG6L9GD7bp2HjAUyZ2p6+G/FzXVl60mG7U5/2WXjM2GVb6TuIVqegg/767hvF0/DU==2wr6-----END PGP SIGNATURE-----

L
L
Léo Le Bouter wrote on 23 Mar 16:29 +0100
(address . 47319@debbugs.gnu.org)
cd5fd0c50f8229e7c8c729d810c373256590739b.camel@zaclys.net
I pushed a9d540cfa87ef3a5de3296188f650fb0d037efbd on core-updates, howto fix it on master considering the amount of dependents remains to beagreed on.
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBaCWYACgkQRaix6GvNEKYZ5RAAxA7rpCn3jVM7cNV46DiRIScCvd7CP04IdEI0nzMw/10trQwDJ2Vd/kmfdXA/Erao7Ut+ZF8BBiy+oqBsm0Ja5OVDxxaKYR5nXJWXj+asFsDTBozSzGPLzrePd0Doe7r94v2VlCTxfEBNq+jRxeh+4Y337FFdkf5G3SP/ze29vkUst1nJjN7V6C0ws4edASdh7vpFAiOGYXZR0UJZ9ELRjqbpAr8gPKuSi6USLbnzXGOhQUikeCUjJSOyAw3DAWG6wvkmcwO5ZTzDBpdI55bb8Sfx2dYgL1KmMBuloBr2wgidpGpgWW4+u7ZUko4NxGJw4Jt8D3mDU4jIdemrijGqEqSIBS+taXs7quJC8+tMTILkmMFdnxsbC5WQz4BZqRV8r3D1ShS6LNvM3kYKNAJfXiNBLWb3GXKbLtX6belQgnK84tXQadSbgBIitJuKx9hzXmtDtO6Xm9xZRdlDZXGwxjHporYGL/iphPDiz2hLRefDP4pmdtCnFT9FDpjvBpn8kJTzox2aksW2nGzR4wBi2NcGnQofw4pmTlKo08q+mMhT/ajOEHThIdMVQTAXiETvRculYuZT697MyrBX7sw+LyHBRFVn0D9pLWuupBmo47nrSixfKv2YEeyaa5vY1GOA163rvv8uOcMuELPfPYbNMz4v1JoaxSf5xsOWlCBdXuc==Cs4c-----END PGP SIGNATURE-----

L
L
Leo Famulari wrote on 23 Mar 18:55 +0100
(name . Léo Le Bouter via Bug reports for GNU Guix)(address . bug-guix@gnu.org)(address . 47319@debbugs.gnu.org)
YFori3lHDKLjAEyE@jasmine.lan
On Mon, Mar 22, 2021 at 03:09:24PM +0100, Léo Le Bouter via Bug reports for GNU Guix wrote:
Toggle quote (5 lines)> CVE-2021-28957 21.03.21 06:15> lxml 4.6.2 places the HTML action attribute into defs.link_attrs (in> html/defs.py) for later use in input sanitization, but does not do the> same for the HTML5 formaction attribute.
Thanks for the notification.
I checked on some other distros that, like us, try to avoid majorupdates of packages with a lot of dependents:
https://security-tracker.debian.org/tracker/CVE-2021-28957https://access.redhat.com/security/cve/cve-2021-28957
So, both Debian and Red Hat are still shipping the vulnerable packages.At least, we are in good company. We would monitor the Debian page andcopy their patch, if they decide to fix the bug.
Toggle quote (7 lines)> Upstream fixed it in 4.6.3 (> https://github.com/lxml/lxml/commit/2d01a1ba8984e0483ce6619b972832377f208a0d> ), so we should probably upgrade to that.> > Has lots of dependents so I suppose it needs grafting? Is that useful> and does it work for Python packages?
Grafting Python packages is not something we've done in the past, as faras I can tell from reading the Git log, although I don't recall know ifit works or not.
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAmBaK4sACgkQJkb6MLrKfwhdMg/9GgzP+0ZAyXvDVEPTqPJthZBfzVvldEWSswoPwb2paSpcfTEKk7WeQxCeuZdQ073oav+wD8pFXH/vxPKC0sCsIpVTnICz7GfK7j/rMBiJ3KnOzAi9aZNkZlAo73Rqk4814k+NC4uUBnvI+7661v9mbcDPVeW6vlxRnRp9lMkRQo6ZWsjEVj9BwMyWNpxsVW73o6At3HkIRHg6XY9Whyfh7zyn2AcoZoV2lUs8xXd6a0W5xVkRfrF6wDXXaYH4A10995QG1CqJHouiNxmT4uS6NymLMcPj/FSjiib9V61JRyoyf/q6bzFepZ1OZ3S1ukJdZdiJo3OYpGufm+xjSbabAThFAk+3VufwhuABEfQuhkRFkgqHycenHxcsZzf3M1zZaUVxna//Zm6ThFFzE3qXbanWepIUCFpor3ylooEc8h0mNLP2Wy19JDNG2pBMl+JqBDf8whksFaJMHp3wSG5F1YG3/+mJdjURgTpuimcF6Uz/lKW1ipoagFcFc+KHjQxLna3VJAglZvaKp8CrTyjfENpLuzR/ssnv7iSuVwb2Bqdd4ds3PgeX7EgUVjDwpiVF2DvnwoaiiWkXjRI/0pbky4ov2Dn7rCzBwZz254jkA4MTS4/ireJWmpNU8XbTCjVRYDito5SCULWlzXjIHR2b8XdOsCzMYWrY2gcNEX5nVyQ==S52E-----END PGP SIGNATURE-----

M
M
Mark H Weaver wrote on 6 Apr 01:54 +0200
87wntg5lsm.fsf@netris.org
Leo Famulari <leo@famulari.name> writes:
Toggle quote (8 lines)> On Mon, Mar 22, 2021 at 03:09:24PM +0100, Léo Le Bouter via Bug reports for GNU Guix wrote:>> Has lots of dependents so I suppose it needs grafting? Is that useful>> and does it work for Python packages?>> Grafting Python packages is not something we've done in the past, as far> as I can tell from reading the Git log, although I don't recall know if> it works or not.
I see no reason why grafting a python package wouldn't work, althoughadmittedly my knowledge of Python is weak.
Mark
?
Your comment

Commenting via the web interface is currently disabled.

To comment on this conversation send email to 47319@debbugs.gnu.org