Bug 13326

Summary: python-lxml new security issue fixed upstream in 3.3.5 (CVE-2014-3146)
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: makowski.mageia, sysadmin-bugs, tmb
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/597332/
Whiteboard: MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
Source RPM: python-lxml-3.3.3-1.mga5.src.rpm CVE:
Status comment:

Description David Walser 2014-05-05 18:59:43 CEST 
Fedora has issued an advisory on April 30:
https://lists.fedoraproject.org/pipermail/package-announce/2014-May/132472.html

The issue is fixed upstream in 3.3.5.

RedHat's bug also has a link to the upstream commit that fixed it:
https://bugzilla.redhat.com/show_bug.cgi?id=1092613

Reproducible: 

Steps to Reproduce:
Comment 1 Philippe Makowski 2014-05-08 19:03:57 CEST 
Not sure it have to be done in mga4 and 3, but it is done in Cauldron
Comment 2 David Walser 2014-05-08 19:48:22 CEST 
Looks like older versions are affected too.  PoC is here:
http://seclists.org/fulldisclosure/2014/Apr/210

Version: Cauldron => 4
Whiteboard: (none) => MGA3TOO

Comment 3 David Walser 2014-05-09 14:48:08 CEST 
CVE request:
http://openwall.com/lists/oss-security/2014/05/09/3
Comment 4 David Walser 2014-05-09 23:06:00 CEST 
CVE-2014-3146 assigned:
http://openwall.com/lists/oss-security/2014/05/09/7

Summary: python-lxml new security issue fixed upstream in 3.3.5 => python-lxml new security issue fixed upstream in 3.3.5 (CVE-2014-3146)

Comment 5 Philippe Makowski 2014-05-10 14:56:04 CEST 
Suggested advisory:
========================

Updated python-lxml packages fix security vulnerabilities:

HTML cleaning could fail to strip javascript links that mix control characters into the link scheme. User can break schema of url with nonprinted chars (\x01-\x08).

References:
http://openwall.com/lists/oss-security/2014/05/09/7
http://seclists.org/fulldisclosure/2014/Apr/210
https://bugzilla.redhat.com/show_bug.cgi?id=1092613
https://lists.fedoraproject.org/pipermail/package-announce/2014-May/132472.html
========================

Updated packages in {core,tainted}/updates_testing:
========================

python3-lxml-3.2.4-1.1.mga4.x86_64
python-lxml-debuginfo-3.2.4-1.1.mga4.x86_64
python-lxml-3.2.4-1.1.mga4.i586
python3-lxml-3.2.4-1.1.mga4.i586
python-lxml-3.2.4-1.1.mga4.x86_64
python-lxml-debuginfo-3.2.4-1.1.mga4.i586
python-lxml-docs-3.2.4-1.1.mga4.noarch

python-lxml-3.0.1-2.1.mga3.x86_64
python-lxml-docs-3.0.1-2.1.mga3.noarch
python-lxml-debuginfo-3.0.1-2.1.mga3.x86_64
python-lxml-debuginfo-3.0.1-2.1.mga3.i586
python-lxml-3.0.1-2.1.mga3.i586

from :
python-lxml-3.2.4-1.1.mga4.src
python-lxml-3.0.1-2.1.mga3.src

Assignee: makowski.mageia => qa-bugs

Comment 6 claire robinson 2014-05-10 15:35:11 CEST 
PoC: http://seclists.org/fulldisclosure/2014/Apr/210
Comment 7 David Walser 2014-05-12 16:15:19 CEST 
Giving a little more detail and some formatting changes.

Advisory:
========================

Updated python-lxml packages fix security vulnerability:

The clean_html() function, provided by the lxml.html.clean module, did not
properly clean HTML input if it included non-printed characters (\x01-\x08).
A remote attacker could use this flaw to serve malicious content to an
application using the clean_html() function to process HTML, possibly
allowing the attacker to inject malicious code into a website generated by
this application (CVE-2014-3146).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3146
https://lists.fedoraproject.org/pipermail/package-announce/2014-May/132472.html

CC: (none) => makowski.mageia

claire robinson 2014-05-13 19:18:16 CEST

Whiteboard: MGA3TOO => MGA3TOO has_procedure

Comment 8 claire robinson 2014-05-14 14:17:21 CEST 
Just sorting the jumbled package lists to be comprehensible..

Mga3
python-lxml-3.0.1-2.1.mga3
python-lxml-docs-3.0.1-2.1.mga3

Mga4
python3-lxml-3.2.4-1.1.mga4
python-lxml-3.2.4-1.1.mga4
python-lxml-docs-3.2.4-1.1.mga4
Comment 9 claire robinson 2014-05-14 14:31:16 CEST 
Testing mga3 32 & 64

Before
------
$ python
Python 2.7.6 (default, Mar 18 2014, 21:51:11) 
[GCC 4.7.2] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> from lxml.html.clean import clean_html
>>> 
>>> html = '''\
... <html>
... <body>
... <a href="javascript:alert(0)">
... aaa</a>
... <a href="javas\x01cript:alert(1)">bbb</a>
... <a href="javas\x02cript:alert(1)">bbb</a>
... <a href="javas\x03cript:alert(1)">bbb</a>
... <a href="javas\x04cript:alert(1)">bbb</a>
... <a href="javas\x05cript:alert(1)">bbb</a>
... <a href="javas\x06cript:alert(1)">bbb</a>
... <a href="javas\x07cript:alert(1)">bbb</a>
... <a href="javas\x08cript:alert(1)">bbb</a>
... <a href="javas\x09cript:alert(1)">bbb</a>
... </body>
... </html>'''
>>> 
>>> print clean_html(html)

<div>
<body>
<a href="">
aaa</a>
<a href="javascript:alert(1)">bbb</a>
<a href="javascript:alert(1)">bbb</a>
<a href="javascript:alert(1)">bbb</a>
<a href="javascript:alert(1)">bbb</a>
<a href="javascript:alert(1)">bbb</a>
<a href="javascript:alert(1)">bbb</a>
<a href="javascript:alert(1)">bbb</a>
<a href="javascript:alert(1)">bbb</a>
<a href="">bbb</a>
</body>
</div>

>>> quit()
 
After
-----
$ python
Python 2.7.6 (default, Mar 18 2014, 21:51:11) 
[GCC 4.7.2] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> from lxml.html.clean import clean_html
>>> 
>>> html = '''\
... <html>
... <body>
... <a href="javascript:alert(0)">
... aaa</a>
... <a href="javas\x01cript:alert(1)">bbb</a>
... <a href="javas\x02cript:alert(1)">bbb</a>
... <a href="javas\x03cript:alert(1)">bbb</a>
... <a href="javas\x04cript:alert(1)">bbb</a>
... <a href="javas\x05cript:alert(1)">bbb</a>
... <a href="javas\x06cript:alert(1)">bbb</a>
... <a href="javas\x07cript:alert(1)">bbb</a>
... <a href="javas\x08cript:alert(1)">bbb</a>
... <a href="javas\x09cript:alert(1)">bbb</a>
... </body>
... </html>'''
>>> 
>>> print clean_html(html)

<div>
<body>
<a href="">
aaa</a>
<a href="">bbb</a>
<a href="">bbb</a>
<a href="">bbb</a>
<a href="">bbb</a>
<a href="">bbb</a>
<a href="">bbb</a>
<a href="">bbb</a>
<a href="">bbb</a>
<a href="">bbb</a>
</body>
</div>

>>> quit()

Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure mga3-32-ok mga3-64-ok

Comment 10 claire robinson 2014-05-14 14:38:32 CEST 
Testing complete mga4 64

Note: Python3 needs the 'print' to be in parentheses 'print (clean_html(html))'

Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok

Comment 11 claire robinson 2014-05-14 14:40:53 CEST 
Testing complete mga4 32

Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok

Comment 12 claire robinson 2014-05-14 14:44:35 CEST 
Validating. Advisory uploaded.

Could sysadmin please push to 3 & 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
CC: (none) => sysadmin-bugs

Comment 13 Thomas Backlund 2014-05-15 00:20:48 CEST 
Update pushed:
http://advisories.mageia.org/MGASA-2014-0218.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED