Debian has issued an advisory on April 1: https://www.debian.org/lts/security/2020/dla-2167 The issue is fixed upstream in 3.1.4. Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOOStatus comment: (none) => Fixed upstream in 3.1.4Blocks: (none) => 26379
Suggested advisory: ======================== The updated packages fix security vulnerabilities: In Mozilla Bleach before 3.12, a mutation XSS in bleach.clean when RCDATA and either svg or math tags are whitelisted and the keyword argument strip=False. (CVE-2020-6816) Regular expression denial of service. (CVE-2020-6817) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6816 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6817 https://www.debian.org/security/2020/dsa-4643 https://www.debian.org/lts/security/2020/dla-2167 https://bugs.mageia.org/show_bug.cgi?id=26379 ======================== Updated packages in core/updates_testing: ======================== python2-bleach-3.1.4-1.mga7 python3-bleach-3.1.4-1.mga7 from SRPMS: python-bleach-3.1.4-1.mga7.src.rpm
Whiteboard: MGA7TOO => (none)Assignee: nicolas.salguero => qa-bugsStatus: NEW => ASSIGNEDStatus comment: Fixed upstream in 3.1.4 => (none)Version: Cauldron => 7CVE: (none) => CVE-2020-6817
mga7, x86_64 Clean update. Had no real idea how to test this but browsed the examples at https://www.programcreek.com/python/example/60247/bleach.clean Installed python-flask and butchered one of the examples to produce this and ran it under python2. -------------------------------------------------------------------------------- import flask, bleach def test_style_hang( ): """The sanitizer should not hang on any inline styles""" # TODO: Neaten this up. It's copypasta from MDN/Kuma to repro the bug style = ("""margin-top: 0px; margin-right: 0px; margin-bottom: 1.286em; """ """margin-left: 0px; padding-top: 15px; padding-right: 15px; """ """padding-bottom: 15px; padding-left: 15px; border-top-width: """ """1px; border-right-width: 1px; border-bottom-width: 1px; """ """border-left-width: 1px; border-top-style: dotted; """ """border-right-style: dotted; border-bottom-style: dotted; """ """border-left-style: dotted; border-top-color: rgb(203, 200, """ """185); border-right-color: rgb(203, 200, 185); """ """border-bottom-color: rgb(203, 200, 185); border-left-color: """ """rgb(203, 200, 185); background-image: initial; """ """background-attachment: initial; background-origin: initial; """ """background-clip: initial; background-color: """ """rgb(246, 246, 242); overflow-x: auto; overflow-y: auto; """ """font: normal normal normal 100%/normal 'Courier New', """ """'Andale Mono', monospace; background-position: initial """ """initial; background-repeat: initial initial;""") html = '<p style="{0!s}">Hello world</p>'.format(style) styles = [ 'border', 'float', 'overflow', 'min-height', 'vertical-align', 'white-space', 'margin', 'margin-left', 'margin-top', 'margin-bottom', 'margin-right', 'padding', 'padding-left', 'padding-top', 'padding-bottom', 'padding-right', 'background', 'background-color', 'font', 'font-size', 'font-weight', 'text-align', 'text-transform', ] expected = ("""<p style="margin-top: 0px; margin-right: 0px; """ """margin-bottom: 1.286em; margin-left: 0px; padding-top: """ """15px; padding-right: 15px; padding-bottom: 15px; """ """padding-left: 15px; background-color: """ """rgb(246, 246, 242); font: normal normal normal """ """100%/normal 'Courier New', 'Andale Mono', monospace;">""" """Hello world</p>""") print( expected ) result = bleach.clean( html, styles=styles ) print( test_style_hang( ) ) -------------------------------------------------------------------------------- $ python style.py <p style="margin-top: 0px; margin-right: 0px; margin-bottom: 1.286em; margin-left: 0px; padding-top: 15px; padding-right: 15px; padding-bottom: 15px; padding-left: 15px; background-color: rgb(246, 246, 242); font: normal normal normal 100%/normal 'Courier New', 'Andale Mono', monospace;">Hello world</p> None The "None" should probably have been the same as the style section but what do I know?
CC: (none) => tarazed25
And it looks like python-flask is not needed for this script. Tried python3 as well - same null result.
@ Len The way I read the examples is the following: all these examples define some fucntions using bleach. So, in order to get something readable out of it, you would need some html coded page that calls on one of these functions. And that's beyond me.
CC: (none) => herman.viaene
@Herman, replying to comment 4. Yes, that is correct. The example quoted above creates its own html stanza and pushes it through a filter, a bit like and AND operation. What should come out the other end is a reduced html text without the styles listed but instead it comes out with a blank page. In some of the other examples my backup bookmarks.html file was used. Most, if not all of the examples use functions like eq_ which is an assert used in unit testing, a framework which needs to be set up. Have no clue about that. All we can do is replace eq_ by a print statement showing what the result should be or look like and then print out the actual result for visual comparison - a tedious process.
Addendum to comment 5: And the argument to python.bleach needs to be actual HTML text so if a file is to be used it must first be read in as a string, something I need to read up on. As said, not a python programmer.
Further to that a rearrangement of the printouts seemed to show that bleach was doing nothing so there is probably something that I am missing. End section of script now looks like this: print( expected ) print( "=======================================================" ) result = bleach.clean( html, styles=styles ) print( result ) test_style_hang( ) $ python style.py <p style="margin-top: 0px; margin-right: 0px; margin-bottom: 1.286em; margin-left: 0px; padding-top: 15px; padding-right: 15px; padding-bottom: 15px; padding-left: 15px; background-color: rgb(246, 246, 242); font: normal normal normal 100%/normal 'Courier New', 'Andale Mono', monospace;">Hello world</p> ======================================================= <p style="margin-top: 0px; margin-right: 0px; margin-bottom: 1.286em; margin-left: 0px; padding-top: 15px; padding-right: 15px; padding-bottom: 15px; padding-left: 15px; border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-top-style: dotted; border-right-style: dotted; border-bottom-style: dotted; border-left-style: dotted; border-top-color: rgb(203, 200, 185); border-right-color: rgb(203, 200, 185); border-bottom-color: rgb(203, 200, 185); border-left-color: rgb(203, 200, 185); background-image: initial; background-attachment: initial; background-origin: initial; background-clip: initial; background-color: rgb(246, 246, 242); overflow-x: auto; overflow-y: auto; font: normal normal normal 100%/normal 'Courier New', 'Andale Mono', monospace; background-position: initial initial; background-repeat: initial initial;">Hello world</p>
Keywords: (none) => feedback
In the absence of any python experts to check the code in the examples all we can do is run an application listed in `urpmq --whatrequires python3-bleach`. One of those is jupyter-notebook. Installed that and ran it from the command-line under strace. It works well as a browser within a browser, allowing the user to edit text files in the browser, play some music and video files, view images and anything text-based. However, it is impossible to tell from a trace whether bleach is used because it is not a library, just a programming tool. Giving this a pass on the basis of a clean install and verification that python3 application which requires it does work, for python3 anyway. Removing feedback marker.
Keywords: feedback => (none)Whiteboard: (none) => MGA7-64-OK
Thank you for your efforts, Len. Validating. Advisory in Comment 1.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Advisory committed to svn
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0176.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED