Bug 28983 - python-lxml new security issue CVE-2021-28957
Summary: python-lxml new security issue CVE-2021-28957
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7TOO MGA7-64-OK MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2021-05-28 22:00 CEST by David Walser
Modified: 2021-06-13 23:34 CEST (History)
7 users (show)

See Also:
Source RPM: python-lxml-4.6.2-1.mga8.src.rpm
CVE: CVE-2021-28957
Status comment:


Attachments

Description David Walser 2021-05-28 22:00:57 CEST
Debian and Ubuntu have issued advisories on March 29 and March 30:
https://www.debian.org/security/2021/dsa-4880
https://ubuntu.com/security/notices/USN-4896-1

The issue is fixed upstream in 4.6.3.

Mageia 7 is also affected.
David Walser 2021-05-28 22:01:15 CEST

Status comment: (none) => Fixed upstream in 4.6.3
Whiteboard: (none) => MGA7TOO
CC: (none) => nicolas.salguero

Comment 1 Lewis Smith 2021-05-29 20:23:20 CEST
Assigning to Python stack maintainers, CC'ing PhilippeM registered maintainer.

Assignee: bugsquad => python
CC: (none) => makowski.mageia

Comment 2 David Walser 2021-05-30 04:39:39 CEST
Fedora has issued an advisory for this on May 28:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/3C2R44VDUY7FJVMAVRZ2WY7XYL4SVN45/
Comment 3 David GEIGER 2021-06-07 09:50:00 CEST
Done for Cauldron, mga8 and mga7!

CC: (none) => geiger.david68210

Comment 4 David Walser 2021-06-09 01:25:50 CEST
RPMS:
python2-lxml-4.3.0-1.3.mga7
python3-lxml-4.3.0-1.3.mga7
python-lxml-docs-4.3.0-1.3.mga7
python3-lxml-4.6.3-1.mga8
python-lxml-docs-4.6.3-1.mga8

from SRPMS:
python-lxml-4.3.0-1.3.mga7.src.rpm
python-lxml-4.6.3-1.mga8.src.rpm

Assignee: python => qa-bugs
Status comment: Fixed upstream in 4.6.3 => (none)

Comment 5 Len Lawrence 2021-06-10 19:33:35 CEST
mga8, x64

https://bugzilla.redhat.com/show_bug.cgi?id=1941534
CVE-2021-28957
https://bugs.launchpad.net/lxml/+bug/1888153

This python script generates javascript for an X button.
Running it produces HTML code which can be copied into a local file, say cleaner.html and accessed directly through a browser.  That certainly works.

from lxml.html.clean import Cleaner
cleaner = Cleaner(
    forms=False,
    safe_attrs_only=False,
)
print( cleaner.clean_html("""<form id="test"></form><button form="test" formaction="javascript:alert(1)">X</button>""") )

Output is:
<div><form id="test"></form><button form="test" formaction="javascript:alert(1)">X</button></div>

Updated the packages and ran it again.  The output was:
<div><form id="test"></form><button form="test" formaction="">X</button></div>

which would paint a button with no response.
This shows that the update addresses the Cleaner vulnerability.

CC: (none) => tarazed25

Comment 6 Len Lawrence 2021-06-10 19:54:47 CEST
Continuing from comment 5, Calibre is one of the packages which requires libxml.
Launched it to look at one of the PDF books in the library, added another from a local directory and attempted to convert another into EPUB2 format.  Not sure if that succeeded.  No regressions noted anyway.

$ cat calibre.trace | grep openat | grep lxml
openat(AT_FDCWD, "/usr/lib64/python3.8/site-packages/lxml/__pycache__/__init__.cpython-38.pyc", O_RDONLY|O_CLOEXEC) = 35
openat(AT_FDCWD, "/usr/lib64/python3.8/site-packages/lxml", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 35
[...]
openat(AT_FDCWD, "/usr/lib64/python3.8/site-packages/lxml/html/__pycache__/builder.cpython-38.pyc", O_RDONLY|O_CLOEXEC) = 57

OK for mga8.

Whiteboard: MGA7TOO => MGA7TOO MGA8-64-OK

Comment 7 Len Lawrence 2021-06-11 10:59:26 CEST
mga7, x64

Ran the PoC under python2 and python3.
Both versions generated the same HTML before the update:
<div><form id="test"></form><button form="test" formaction="javascript:alert(1)">X</button></div>

Updated the packages and ran the PoC again:
Both versions of python generated:
<div><form id="test"></form><button form="test" formaction="">X</button></div>

CVE-2021-28957 fix is in place.

Calibre works fine after the update.  Built library, viewd one book, deleted another.  The trace showed that Calibre defaults to python2.7 in mga7, which makes sense.

Giving this the go-ahead.

Whiteboard: MGA7TOO MGA8-64-OK => MGA7TOO MGA7-64-OK MGA8-64-OK

Comment 8 Thomas Andrews 2021-06-12 18:15:46 CEST
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 9 Aurelien Oudelet 2021-06-13 21:19:28 CEST
Advisory:
========================

An XSS vulnerability was discovered in python-lxml’s clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML (CVE-2021-28957).

References:
 - https://bugs.mageia.org/show_bug.cgi?id=28983
 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28957
 - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/3C2R44VDUY7FJVMAVRZ2WY7XYL4SVN45/
 - https://www.debian.org/security/2021/dsa-4880
 - https://ubuntu.com/security/notices/USN-4896-1
========================

Updated package in 7/core/updates_testing:
========================
python2-lxml-4.3.0-1.3.mga7
python3-lxml-4.3.0-1.3.mga7
python-lxml-docs-4.3.0-1.3.mga7

from SRPM:
python-lxml-4.3.0-1.3.mga7.src.rpm

Updated package in 8/core/updates_testing:
========================
python3-lxml-4.6.3-1.mga8
python-lxml-docs-4.6.3-1.mga8

from SRPM:
python-lxml-4.6.3-1.mga8.src.rpm

Keywords: (none) => advisory
CVE: (none) => CVE-2021-28957
CC: (none) => ouaurelien

Comment 10 Mageia Robot 2021-06-13 23:34:27 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0246.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.