Bug 22276

Summary: python-mistune new security issues CVE-2017-15612 and CVE-2017-16876
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: herman.viaene, makowski.mageia, marja11, shlomif, sysadmin-bugs
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: mga6-64-ok
Source RPM: python-mistune-0.7.2-2.mga7.src.rpm CVE:
Status comment:

Description David Walser 2017-12-28 14:02:40 CET 
Fedora has issued an advisory on December 27:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/NUR3GMHQBMA3UC4PFMCK6GCLOQC4LQQC/

The issues were fixed upstream in 0.8.3.

The RedHat bugs have links to patches:
https://bugzilla.redhat.com/show_bug.cgi?id=1524594
https://bugzilla.redhat.com/show_bug.cgi?id=1505309

Mageia 6 is also affected.
Comment 1 Marja Van Waes 2017-12-28 14:20:51 CET 
Re-assigning to the python maintainers, because Philippe never told us he's back.

CC: (none) => makowski.mageia, marja11
Assignee: makowski.mageia => python

Comment 2 Shlomi Fish 2017-12-28 16:40:34 CET 
Fixed in mga7 in 0.8.3-1 - will tackle mga6 next.

CC: (none) => shlomif
Version: Cauldron => 6

Comment 3 Shlomi Fish 2017-12-28 17:04:02 CET 
update submitted to mga6 -

Assignee: python => qa-bugs

Comment 4 David Walser 2017-12-28 17:10:09 CET 
Advisory:
========================

Updated python-mistune packages fix security vulnerabilities:

mistune.py in Mistune 0.7.4 allows XSS via an unexpected newline (such as in
java\nscript:) or a crafted email address, related to the escape and autolink
functions (CVE-2017-15612).

A cross-site-scripting vulnerability was found in python-mistune
(CVE-2017-16876).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15612
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16876
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/NUR3GMHQBMA3UC4PFMCK6GCLOQC4LQQC/
========================

Updated packages in core/updates_testing:
========================
python-mistune-0.7.2-1.1.mga6
python3-mistune-0.7.2-1.1.mga6

from python-mistune-0.7.2-1.1.mga6.src.rpm
Lewis Smith 2018-01-04 14:59:30 CET

Keywords: (none) => advisory

Comment 5 Herman Viaene 2018-01-04 15:50:45 CET 
MGA6-32 on Dell Latitude D600
No installation issues
Chased around some time to find a way to test this package, found https://pypi.python.org/pypi/mistune , but this is way over my head. Someone else can make some sense out of it?

CC: (none) => herman.viaene

Comment 6 claire robinson 2018-01-04 23:08:59 CET 
Testing complete mga6 64

Using info at Herman's link..

$ python
Python 2.7.13 (default, Dec 31 2017, 00:19:35) 
[GCC 5.4.0] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import mistune
>>> 
>>> mistune.markdown('I am using **mistune markdown parser**')
'<p>I am using <strong>mistune markdown parser</strong></p>\n'
>>> 
>>> 
>>> markdown = mistune.Markdown()
>>> markdown('I am using **mistune markdown parser**')
'<p>I am using <strong>mistune markdown parser</strong></p>\n'
>>> 
>>> 
>>> exit()

Whiteboard: (none) => mga6-64-ok

Comment 7 Lewis Smith 2018-01-07 15:03:26 CET 
Wow! An OK from Claire. Super. It is sort of generally agreed henceforth that just 1 OK (say a good OK), especially 64-bit, generally allows validation.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 8 Mageia Robot 2018-01-07 17:07:30 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0066.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED