Bug 19912 - python-html5lib new security issues CVE-2016-9909 and CVE-2016-9910
Summary: python-html5lib new security issues CVE-2016-9909 and CVE-2016-9910
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: https://lwn.net/Vulnerabilities/709146/
Whiteboard: MGA5-32-OK advisory MGA5-64-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2016-12-08 15:32 CET by David Walser
Modified: 2017-01-03 23:05 CET (History)
4 users (show)

See Also:
Source RPM: python-html5lib-1.0b8-2.mga6.src.rpm
CVE: CVE-2016-9909 and CVE-2016-9910
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2016-12-08 15:32:22 CET 
CVEs have been assigned for security issues fixed upstream in python-html5lib:
http://www.openwall.com/lists/oss-security/2016/12/08/8

It appears to have been fixed in 1.0b9, and the commit to fix it is linked in the message above.

Mageia 5 is also affected.
David Walser 2016-12-08 15:32:46 CET

CC: (none) => shlomif
Whiteboard: (none) => MGA5TOO

Comment 1 Philippe Makowski 2016-12-09 16:25:19 CET 
Freeze push asked for Cauldron, for Mga5, I'll try, but that's not a major security issue.
Comment 2 Philippe Makowski 2016-12-10 16:49:22 CET 
python-html5lib-1.0b3-7.1.mga5.noarch
python3-html5lib-1.0b3-7.1.mga5.noarch

From python-html5lib-1.0b3-7.1.mga5.src.rpm
Are in core/updates_testing


Fix potential cross-site scripting vulnerablity: quote attributes that need escaping in legacy browsers.

Ref :
http://www.openwall.com/lists/oss-security/2016/12/08/8
https://github.com/html5lib/html5lib-python/issues/11
https://github.com/html5lib/html5lib-python/issues/12
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9909
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9910


For testers :
package have a test section for both python2 and python3 that is run during build :
Ran 21566 tests in 29.301s
Ran 21566 tests in 35.569s

So I guess that a simple update is enough.

CVE: (none) => CVE-2016-9909 and CVE-2016-9910
Assignee: makowski.mageia => qa-bugs
Whiteboard: MGA5TOO => (none)

David Walser 2016-12-10 17:13:18 CET

Version: Cauldron => 5

David Walser 2016-12-14 18:17:42 CET

URL: (none) => https://lwn.net/Vulnerabilities/709146/

Comment 3 Herman Viaene 2016-12-26 13:31:10 CET 
MGA5-32 on Acer D620 Xfce
No installation issues - OK

CC: (none) => herman.viaene
Whiteboard: (none) => MGA5-32-OK

Comment 4 Lewis Smith 2016-12-28 11:18:57 CET 
Advisory from Comment 2 uploaded.

CC: (none) => lewyssmith
Whiteboard: MGA5-32-OK => MGA5-32-OK advisory

Comment 5 Lewis Smith 2017-01-03 21:25:01 CET 
Testing M5 x64

I could find no previous bug for this package; so following the handy advice in Comment 2 (thanks Philippe), I just installed from current repos:
 python-html5lib-1.0b3-7.mga5.noarch.rpm
then updated it from Updates Testing to:
 python-html5lib-1.0b3-7.1.mga5

No problems => OK! Validating; advisory already in place.

Keywords: (none) => validated_update
Whiteboard: MGA5-32-OK advisory => MGA5-32-OK advisory MGA5-64-OK
CC: (none) => sysadmin-bugs

Comment 6 Mageia Robot 2017-01-03 23:05:54 CET 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0001.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.