Bug 27685

Summary:	python-lxml new security issue CVE-2020-27783
Product:	Mageia	Reporter:	David Walser <luigiwalser>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	major
Priority:	Normal	CC:	andrewsfarm, makowski.mageia, nicolas.salguero, ouaurelien, sysadmin-bugs
Version:	7	Keywords:	advisory, validated_update
Target Milestone:	---
Hardware:	All
OS:	Linux
Whiteboard:	MGA7-64-OK
Source RPM:	python-lxml-4.3.0-1.mga7.src.rpm	CVE:	CVE-2020-27783
Status comment:

Description David Walser 2020-11-29 17:01:15 CET

Debian-LTS has issued an advisory on November 27:
https://www.debian.org/lts/security/2020/dla-2467

The issue is fixed upstream in 4.6.1:
https://github.com/lxml/lxml/commit/89e7aad6e7ff9ecd88678ff25f885988b184b26e

Comment 1 Lewis Smith 2020-11-29 20:24:14 CET

Various people have touched this in recent times, so assigning it globally.
CC'ing Philippe in case.

Assignee: bugsquad => pkg-bugs
CC: (none) => makowski.mageia

Comment 2 Nicolas Salguero 2020-12-08 09:22:18 CET

Suggested advisory:
========================

The updated packages fix a security vulnerability:

A XSS vulnerability was discovered in python-lxml's clean module. The module's parser didn't properly imitate browsers, which caused different behaviors between the sanitizer and the user's page. A remote attacker could exploit this flaw to run arbitrary HTML/JS code. (CVE-2020-27783)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27783
https://www.debian.org/lts/security/2020/dla-2467
========================

Updated packages in core/updates_testing:
========================
python2-lxml-4.3.0-1.1.mga7
python3-lxml-4.3.0-1.1.mga7
python-lxml-docs-4.3.0-1.1.mga7

from SRPM:
python-lxml-4.3.0-1.1.mga7.src.rpm

Assignee: pkg-bugs => qa-bugs
CC: (none) => nicolas.salguero
CVE: (none) => CVE-2020-27783
Status: NEW => ASSIGNED

Comment 3 David Walser 2020-12-09 23:43:06 CET

Ubuntu has issued an advisory for this today (December 9):
https://ubuntu.com/security/notices/USN-4666-1

They say this commit is also needed for the Mageia 7 update:
https://github.com/lxml/lxml/commit/a105ab8dc262ec6735977c25c13f0bdfcdec72a7

Severity: normal => major
CC: (none) => qa-bugs
Assignee: qa-bugs => nicolas.salguero

Comment 4 Nicolas Salguero 2020-12-10 10:09:32 CET

Suggested advisory:
========================

The updated packages fix a security vulnerability:

A XSS vulnerability was discovered in python-lxml's clean module. The module's parser didn't properly imitate browsers, which caused different behaviors between the sanitizer and the user's page. A remote attacker could exploit this flaw to run arbitrary HTML/JS code. (CVE-2020-27783)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27783
https://www.debian.org/lts/security/2020/dla-2467
https://ubuntu.com/security/notices/USN-4666-1
========================

Updated packages in core/updates_testing:
========================
python2-lxml-4.3.0-1.2.mga7
python3-lxml-4.3.0-1.2.mga7
python-lxml-docs-4.3.0-1.2.mga7

from SRPM:
python-lxml-4.3.0-1.2.mga7.src.rpm

Nicolas Salguero 2020-12-10 10:22:40 CET

Assignee: nicolas.salguero => qa-bugs

David Walser 2020-12-10 14:19:16 CET

CC: qa-bugs => (none)

Comment 5 Thomas Andrews 2021-01-15 01:44:19 CET

No installation issues.

Reaching all the way back to Bug 13326 for a testing procedure...

(Thank you, Claire!)

$ python
Python 2.7.18 (default, Nov 20 2020, 06:51:30) 
[GCC 8.4.0] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> from lxml.html.clean import clean_html
>>> 
>>> html = '''\
... <html>
... <body>
... <a href="javascript:alert(0)">
... aaa</a>
... <a href="javas\x01cript:alert(1)">bbb</a>
... <a href="javas\x02cript:alert(1)">bbb</a>
... <a href="javas\x03cript:alert(1)">bbb</a>
... <a href="javas\x04cript:alert(1)">bbb</a>
... <a href="javas\x05cript:alert(1)">bbb</a>
... <a href="javas\x06cript:alert(1)">bbb</a>
... <a href="javas\x07cript:alert(1)">bbb</a>
... <a href="javas\x08cript:alert(1)">bbb</a>
... <a href="javas\x09cript:alert(1)">bbb</a>
... </body>
... </html>'''
>>> 
>>> print clean_html(html)
<div>
<body>
<a href="">
aaa</a>
<a href="">bbb</a>
<a href="">bbb</a>
<a href="">bbb</a>
<a href="">bbb</a>
<a href="">bbb</a>
<a href="">bbb</a>
<a href="">bbb</a>
<a href="">bbb</a>
<a href="">bbb</a>
</body>
</div>

This result is the same as that in Bug 13326, so I'm passing this on.

Validating. Advisory in Comment 4.

Keywords: (none) => validated_update
Whiteboard: (none) => MGA7-64-OK
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 6 David Walser 2021-01-15 21:53:41 CET

Fedora has issued advisory for this on January 14:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JKG67GPGTV23KADT4D4GK4RMHSO4CIQL/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/TMHVKRUT22LVWNL3TB7HPSDHJT74Q3JK/

Comment 7 Aurelien Oudelet 2021-01-17 15:04:15 CET

Advisory pushed to SVN.

CC: (none) => ouaurelien
Keywords: (none) => advisory

Comment 8 Mageia Robot 2021-01-17 17:08:33 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0038.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED