Fedora has issued an advisory on April 30: https://lists.fedoraproject.org/pipermail/package-announce/2014-May/132472.html The issue is fixed upstream in 3.3.5. RedHat's bug also has a link to the upstream commit that fixed it: https://bugzilla.redhat.com/show_bug.cgi?id=1092613 Reproducible: Steps to Reproduce:
Not sure it have to be done in mga4 and 3, but it is done in Cauldron
Looks like older versions are affected too. PoC is here: http://seclists.org/fulldisclosure/2014/Apr/210
Version: Cauldron => 4Whiteboard: (none) => MGA3TOO
CVE request: http://openwall.com/lists/oss-security/2014/05/09/3
CVE-2014-3146 assigned: http://openwall.com/lists/oss-security/2014/05/09/7
Summary: python-lxml new security issue fixed upstream in 3.3.5 => python-lxml new security issue fixed upstream in 3.3.5 (CVE-2014-3146)
Suggested advisory: ======================== Updated python-lxml packages fix security vulnerabilities: HTML cleaning could fail to strip javascript links that mix control characters into the link scheme. User can break schema of url with nonprinted chars (\x01-\x08). References: http://openwall.com/lists/oss-security/2014/05/09/7 http://seclists.org/fulldisclosure/2014/Apr/210 https://bugzilla.redhat.com/show_bug.cgi?id=1092613 https://lists.fedoraproject.org/pipermail/package-announce/2014-May/132472.html ======================== Updated packages in {core,tainted}/updates_testing: ======================== python3-lxml-3.2.4-1.1.mga4.x86_64 python-lxml-debuginfo-3.2.4-1.1.mga4.x86_64 python-lxml-3.2.4-1.1.mga4.i586 python3-lxml-3.2.4-1.1.mga4.i586 python-lxml-3.2.4-1.1.mga4.x86_64 python-lxml-debuginfo-3.2.4-1.1.mga4.i586 python-lxml-docs-3.2.4-1.1.mga4.noarch python-lxml-3.0.1-2.1.mga3.x86_64 python-lxml-docs-3.0.1-2.1.mga3.noarch python-lxml-debuginfo-3.0.1-2.1.mga3.x86_64 python-lxml-debuginfo-3.0.1-2.1.mga3.i586 python-lxml-3.0.1-2.1.mga3.i586 from : python-lxml-3.2.4-1.1.mga4.src python-lxml-3.0.1-2.1.mga3.src
Assignee: makowski.mageia => qa-bugs
PoC: http://seclists.org/fulldisclosure/2014/Apr/210
Giving a little more detail and some formatting changes. Advisory: ======================== Updated python-lxml packages fix security vulnerability: The clean_html() function, provided by the lxml.html.clean module, did not properly clean HTML input if it included non-printed characters (\x01-\x08). A remote attacker could use this flaw to serve malicious content to an application using the clean_html() function to process HTML, possibly allowing the attacker to inject malicious code into a website generated by this application (CVE-2014-3146). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3146 https://lists.fedoraproject.org/pipermail/package-announce/2014-May/132472.html
CC: (none) => makowski.mageia
Whiteboard: MGA3TOO => MGA3TOO has_procedure
Just sorting the jumbled package lists to be comprehensible.. Mga3 python-lxml-3.0.1-2.1.mga3 python-lxml-docs-3.0.1-2.1.mga3 Mga4 python3-lxml-3.2.4-1.1.mga4 python-lxml-3.2.4-1.1.mga4 python-lxml-docs-3.2.4-1.1.mga4
Testing mga3 32 & 64 Before ------ $ python Python 2.7.6 (default, Mar 18 2014, 21:51:11) [GCC 4.7.2] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> from lxml.html.clean import clean_html >>> >>> html = '''\ ... <html> ... <body> ... <a href="javascript:alert(0)"> ... aaa</a> ... <a href="javas\x01cript:alert(1)">bbb</a> ... <a href="javas\x02cript:alert(1)">bbb</a> ... <a href="javas\x03cript:alert(1)">bbb</a> ... <a href="javas\x04cript:alert(1)">bbb</a> ... <a href="javas\x05cript:alert(1)">bbb</a> ... <a href="javas\x06cript:alert(1)">bbb</a> ... <a href="javas\x07cript:alert(1)">bbb</a> ... <a href="javas\x08cript:alert(1)">bbb</a> ... <a href="javas\x09cript:alert(1)">bbb</a> ... </body> ... </html>''' >>> >>> print clean_html(html) <div> <body> <a href=""> aaa</a> <a href="javascript:alert(1)">bbb</a> <a href="javascript:alert(1)">bbb</a> <a href="javascript:alert(1)">bbb</a> <a href="javascript:alert(1)">bbb</a> <a href="javascript:alert(1)">bbb</a> <a href="javascript:alert(1)">bbb</a> <a href="javascript:alert(1)">bbb</a> <a href="javascript:alert(1)">bbb</a> <a href="">bbb</a> </body> </div> >>> quit() After ----- $ python Python 2.7.6 (default, Mar 18 2014, 21:51:11) [GCC 4.7.2] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> from lxml.html.clean import clean_html >>> >>> html = '''\ ... <html> ... <body> ... <a href="javascript:alert(0)"> ... aaa</a> ... <a href="javas\x01cript:alert(1)">bbb</a> ... <a href="javas\x02cript:alert(1)">bbb</a> ... <a href="javas\x03cript:alert(1)">bbb</a> ... <a href="javas\x04cript:alert(1)">bbb</a> ... <a href="javas\x05cript:alert(1)">bbb</a> ... <a href="javas\x06cript:alert(1)">bbb</a> ... <a href="javas\x07cript:alert(1)">bbb</a> ... <a href="javas\x08cript:alert(1)">bbb</a> ... <a href="javas\x09cript:alert(1)">bbb</a> ... </body> ... </html>''' >>> >>> print clean_html(html) <div> <body> <a href=""> aaa</a> <a href="">bbb</a> <a href="">bbb</a> <a href="">bbb</a> <a href="">bbb</a> <a href="">bbb</a> <a href="">bbb</a> <a href="">bbb</a> <a href="">bbb</a> <a href="">bbb</a> </body> </div> >>> quit()
Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure mga3-32-ok mga3-64-ok
Testing complete mga4 64 Note: Python3 needs the 'print' to be in parentheses 'print (clean_html(html))'
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok
Testing complete mga4 32
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
Validating. Advisory uploaded. Could sysadmin please push to 3 & 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-okCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2014-0218.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED