Bug 28983

Summary: python-lxml new security issue CVE-2021-28957
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, geiger.david68210, makowski.mageia, nicolas.salguero, ouaurelien, sysadmin-bugs, tarazed25
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7TOO MGA7-64-OK MGA8-64-OK
Source RPM: python-lxml-4.6.2-1.mga8.src.rpm CVE: CVE-2021-28957
Status comment:

Description David Walser 2021-05-28 22:00:57 CEST 
Debian and Ubuntu have issued advisories on March 29 and March 30:
https://www.debian.org/security/2021/dsa-4880
https://ubuntu.com/security/notices/USN-4896-1

The issue is fixed upstream in 4.6.3.

Mageia 7 is also affected.
David Walser 2021-05-28 22:01:15 CEST

Status comment: (none) => Fixed upstream in 4.6.3
Whiteboard: (none) => MGA7TOO
CC: (none) => nicolas.salguero

Comment 1 Lewis Smith 2021-05-29 20:23:20 CEST 
Assigning to Python stack maintainers, CC'ing PhilippeM registered maintainer.

Assignee: bugsquad => python
CC: (none) => makowski.mageia

Comment 2 David Walser 2021-05-30 04:39:39 CEST 
Fedora has issued an advisory for this on May 28:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/3C2R44VDUY7FJVMAVRZ2WY7XYL4SVN45/
Comment 3 David GEIGER 2021-06-07 09:50:00 CEST 
Done for Cauldron, mga8 and mga7!

CC: (none) => geiger.david68210

Comment 4 David Walser 2021-06-09 01:25:50 CEST 
RPMS:
python2-lxml-4.3.0-1.3.mga7
python3-lxml-4.3.0-1.3.mga7
python-lxml-docs-4.3.0-1.3.mga7
python3-lxml-4.6.3-1.mga8
python-lxml-docs-4.6.3-1.mga8

from SRPMS:
python-lxml-4.3.0-1.3.mga7.src.rpm
python-lxml-4.6.3-1.mga8.src.rpm

Assignee: python => qa-bugs
Status comment: Fixed upstream in 4.6.3 => (none)

Comment 5 Len Lawrence 2021-06-10 19:33:35 CEST 
mga8, x64

https://bugzilla.redhat.com/show_bug.cgi?id=1941534
CVE-2021-28957
https://bugs.launchpad.net/lxml/+bug/1888153

This python script generates javascript for an X button.
Running it produces HTML code which can be copied into a local file, say cleaner.html and accessed directly through a browser.  That certainly works.

from lxml.html.clean import Cleaner
cleaner = Cleaner(
    forms=False,
    safe_attrs_only=False,
)
print( cleaner.clean_html("""<form id="test"></form><button form="test" formaction="javascript:alert(1)">X</button>""") )

Output is:
<div><form id="test"></form><button form="test" formaction="javascript:alert(1)">X</button></div>

Updated the packages and ran it again.  The output was:
<div><form id="test"></form><button form="test" formaction="">X</button></div>

which would paint a button with no response.
This shows that the update addresses the Cleaner vulnerability.

CC: (none) => tarazed25

Comment 6 Len Lawrence 2021-06-10 19:54:47 CEST 
Continuing from comment 5, Calibre is one of the packages which requires libxml.
Launched it to look at one of the PDF books in the library, added another from a local directory and attempted to convert another into EPUB2 format.  Not sure if that succeeded.  No regressions noted anyway.

$ cat calibre.trace | grep openat | grep lxml
openat(AT_FDCWD, "/usr/lib64/python3.8/site-packages/lxml/__pycache__/__init__.cpython-38.pyc", O_RDONLY|O_CLOEXEC) = 35
openat(AT_FDCWD, "/usr/lib64/python3.8/site-packages/lxml", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 35
[...]
openat(AT_FDCWD, "/usr/lib64/python3.8/site-packages/lxml/html/__pycache__/builder.cpython-38.pyc", O_RDONLY|O_CLOEXEC) = 57

OK for mga8.

Whiteboard: MGA7TOO => MGA7TOO MGA8-64-OK

Comment 7 Len Lawrence 2021-06-11 10:59:26 CEST 
mga7, x64

Ran the PoC under python2 and python3.
Both versions generated the same HTML before the update:
<div><form id="test"></form><button form="test" formaction="javascript:alert(1)">X</button></div>

Updated the packages and ran the PoC again:
Both versions of python generated:
<div><form id="test"></form><button form="test" formaction="">X</button></div>

CVE-2021-28957 fix is in place.

Calibre works fine after the update.  Built library, viewd one book, deleted another.  The trace showed that Calibre defaults to python2.7 in mga7, which makes sense.

Giving this the go-ahead.

Whiteboard: MGA7TOO MGA8-64-OK => MGA7TOO MGA7-64-OK MGA8-64-OK

Comment 8 Thomas Andrews 2021-06-12 18:15:46 CEST 
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 9 Aurelien Oudelet 2021-06-13 21:19:28 CEST 
Advisory:
========================

An XSS vulnerability was discovered in python-lxml’s clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML (CVE-2021-28957).

References:
 - https://bugs.mageia.org/show_bug.cgi?id=28983
 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28957
 - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/3C2R44VDUY7FJVMAVRZ2WY7XYL4SVN45/
 - https://www.debian.org/security/2021/dsa-4880
 - https://ubuntu.com/security/notices/USN-4896-1
========================

Updated package in 7/core/updates_testing:
========================
python2-lxml-4.3.0-1.3.mga7
python3-lxml-4.3.0-1.3.mga7
python-lxml-docs-4.3.0-1.3.mga7

from SRPM:
python-lxml-4.3.0-1.3.mga7.src.rpm

Updated package in 8/core/updates_testing:
========================
python3-lxml-4.6.3-1.mga8
python-lxml-docs-4.6.3-1.mga8

from SRPM:
python-lxml-4.6.3-1.mga8.src.rpm

Keywords: (none) => advisory
CVE: (none) => CVE-2021-28957
CC: (none) => ouaurelien

Comment 10 Mageia Robot 2021-06-13 23:34:27 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0246.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED