Bug 27685 - python-lxml new security issue CVE-2020-27783
Summary: python-lxml new security issue CVE-2020-27783
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2020-11-29 17:01 CET by David Walser
Modified: 2021-01-17 17:08 CET (History)
5 users (show)

See Also:
Source RPM: python-lxml-4.3.0-1.mga7.src.rpm
CVE: CVE-2020-27783
Status comment:


Attachments

Description David Walser 2020-11-29 17:01:15 CET
Debian-LTS has issued an advisory on November 27:
https://www.debian.org/lts/security/2020/dla-2467

The issue is fixed upstream in 4.6.1:
https://github.com/lxml/lxml/commit/89e7aad6e7ff9ecd88678ff25f885988b184b26e
Comment 1 Lewis Smith 2020-11-29 20:24:14 CET
Various people have touched this in recent times, so assigning it globally.
CC'ing Philippe in case.

Assignee: bugsquad => pkg-bugs
CC: (none) => makowski.mageia

Comment 2 Nicolas Salguero 2020-12-08 09:22:18 CET
Suggested advisory:
========================

The updated packages fix a security vulnerability:

A XSS vulnerability was discovered in python-lxml's clean module. The module's parser didn't properly imitate browsers, which caused different behaviors between the sanitizer and the user's page. A remote attacker could exploit this flaw to run arbitrary HTML/JS code. (CVE-2020-27783)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27783
https://www.debian.org/lts/security/2020/dla-2467
========================

Updated packages in core/updates_testing:
========================
python2-lxml-4.3.0-1.1.mga7
python3-lxml-4.3.0-1.1.mga7
python-lxml-docs-4.3.0-1.1.mga7

from SRPM:
python-lxml-4.3.0-1.1.mga7.src.rpm

Assignee: pkg-bugs => qa-bugs
CC: (none) => nicolas.salguero
CVE: (none) => CVE-2020-27783
Status: NEW => ASSIGNED

Comment 3 David Walser 2020-12-09 23:43:06 CET
Ubuntu has issued an advisory for this today (December 9):
https://ubuntu.com/security/notices/USN-4666-1

They say this commit is also needed for the Mageia 7 update:
https://github.com/lxml/lxml/commit/a105ab8dc262ec6735977c25c13f0bdfcdec72a7

Severity: normal => major
CC: (none) => qa-bugs
Assignee: qa-bugs => nicolas.salguero

Comment 4 Nicolas Salguero 2020-12-10 10:09:32 CET
Suggested advisory:
========================

The updated packages fix a security vulnerability:

A XSS vulnerability was discovered in python-lxml's clean module. The module's parser didn't properly imitate browsers, which caused different behaviors between the sanitizer and the user's page. A remote attacker could exploit this flaw to run arbitrary HTML/JS code. (CVE-2020-27783)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27783
https://www.debian.org/lts/security/2020/dla-2467
https://ubuntu.com/security/notices/USN-4666-1
========================

Updated packages in core/updates_testing:
========================
python2-lxml-4.3.0-1.2.mga7
python3-lxml-4.3.0-1.2.mga7
python-lxml-docs-4.3.0-1.2.mga7

from SRPM:
python-lxml-4.3.0-1.2.mga7.src.rpm
Nicolas Salguero 2020-12-10 10:22:40 CET

Assignee: nicolas.salguero => qa-bugs

David Walser 2020-12-10 14:19:16 CET

CC: qa-bugs => (none)

Comment 5 Thomas Andrews 2021-01-15 01:44:19 CET
No installation issues.

Reaching all the way back to Bug 13326 for a testing procedure...

(Thank you, Claire!)

$ python
Python 2.7.18 (default, Nov 20 2020, 06:51:30) 
[GCC 8.4.0] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> from lxml.html.clean import clean_html
>>> 
>>> html = '''\
... <html>
... <body>
... <a href="javascript:alert(0)">
... aaa</a>
... <a href="javas\x01cript:alert(1)">bbb</a>
... <a href="javas\x02cript:alert(1)">bbb</a>
... <a href="javas\x03cript:alert(1)">bbb</a>
... <a href="javas\x04cript:alert(1)">bbb</a>
... <a href="javas\x05cript:alert(1)">bbb</a>
... <a href="javas\x06cript:alert(1)">bbb</a>
... <a href="javas\x07cript:alert(1)">bbb</a>
... <a href="javas\x08cript:alert(1)">bbb</a>
... <a href="javas\x09cript:alert(1)">bbb</a>
... </body>
... </html>'''
>>> 
>>> print clean_html(html)
<div>
<body>
<a href="">
aaa</a>
<a href="">bbb</a>
<a href="">bbb</a>
<a href="">bbb</a>
<a href="">bbb</a>
<a href="">bbb</a>
<a href="">bbb</a>
<a href="">bbb</a>
<a href="">bbb</a>
<a href="">bbb</a>
</body>
</div>

This result is the same as that in Bug 13326, so I'm passing this on.

Validating. Advisory in Comment 4.

Keywords: (none) => validated_update
Whiteboard: (none) => MGA7-64-OK
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 7 Aurelien Oudelet 2021-01-17 15:04:15 CET
Advisory pushed to SVN.

CC: (none) => ouaurelien
Keywords: (none) => advisory

Comment 8 Mageia Robot 2021-01-17 17:08:33 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0038.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.