Bug 28986

Assigning to Python group; CC'ing Joseph (registered maintainer) in hope.

Assignee: bugsquad => python
CC: (none) => joequant

openSUSE has issued an advisory for this on April 14:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/YFAKMJGUZHUTZ53ZAID6PRVP5MSLXPGV/

Done for mga8 and mga7!

CC: (none) => geiger.david68210

RPMS:
python2-bleach-3.1.4-1.1.mga7
python3-bleach-3.1.4-1.1.mga7
python3-bleach-3.3.0-1.mga8

from SRPMS:
python-bleach-3.1.4-1.1.mga7.src.rpm
python-bleach-3.3.0-1.mga8.src.rpm

Status comment: Fixed upstream in 3.3.0 => (none)
Assignee: python => qa-bugs

mga8, x64

Harking back to bug 26445, this looks very difficult to test, but there may be a PoC at https://bugzilla.mozilla.org/show_bug.cgi?id=1689399

If this goes anywhere shall report back and update and test again.  Otherwise the default option.

CC: (none) => tarazed25

If you run this code:

import bleach
print( bleach.__version__ )
html = '<math></p><style><!--</style><img src/onerror=alert(1)>'
e = bleach.clean( html, tags=['math', 'p', 'style'], strip_comments=False )
print( e )

the output is:

<math><p></p><style><!--</style><img src/onerror=alert(1)>--></style></math>

Copy that into poc.html and navigate from a browser to that file;
e.g. file:///home/lcl/qa/python/bleach/poc.html.
That presents a --> symbol with an alert box containing 1 and an OK button which clears the alert.

Updated the package and ran the poc test again.
$ python3 poc.py
3.3.0
<math><p></p><style><!--&lt;/style&gt;&lt;img src/onerror=alert(1)&gt;--></style></math>

Modified the poc.html file and presented it to a browser again.  That shows a blank page.

Cannot say that I fully understand the point of this but it is probably a good result.

No point in proceeding any further with this without knowing what we are doing so passing this on the basis of a clean update and a possibly successful poc test.

Whiteboard: MGA7TOO => MGA7TOO MGA8-64-OK

mga7, x64

Referring to comment 6, ran the poc tests for python2 and python3 and saw exactly the same results as reported before and after the updates.

Giving this an OK on the same grounds as the mga8 test.

Whiteboard: MGA7TOO MGA8-64-OK => MGA7TOO MGA7-64-OK MGA8-64-OK

Sometimes that's all we can do, Len. Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Advisory:
========================

Updated python-bleach packages fix a security vulnerability:

It was reported that python-bleach, a whitelist-based HTML-sanitizing library, is prone to a mutation XSS vulnerability in bleach.clean when "svg" or "math" are in the allowed tags, 'p' or "br" are in allowed tags, "style", "title", "noscript", "script", "textarea", "noframes", "iframe", or "xmp" are in allowed tags and 'strip_comments=False' is set (CVE-2021-23980).

References:
 - https://bugs.mageia.org/show_bug.cgi?id=28986
 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23980
 - https://www.debian.org/security/2021/dsa-4892.en.html
 - https://github.com/mozilla/bleach/security/advisories/GHSA-vv2x-vrpj-qqpq
- https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/YFAKMJGUZHUTZ53ZAID6PRVP5MSLXPGV/
========================

Updated packages in 7/core/updates_testing:
========================
python2-bleach-3.1.4-1.1.mga7
python3-bleach-3.1.4-1.1.mga7

from SRPMS:
python-bleach-3.1.4-1.1.mga7.src.rpm

========================

Updated packages in 8/core/updates_testing:
========================
python3-bleach-3.3.0-1.mga8

from SRPM:
python-bleach-3.3.0-1.mga8.src.rpm

CC: (none) => ouaurelien
Keywords: (none) => advisory
CVE: (none) => CVE-2021-23980

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0260.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED