Debian and Ubuntu have issued advisories on March 29 and March 30: https://www.debian.org/security/2021/dsa-4880 https://ubuntu.com/security/notices/USN-4896-1 The issue is fixed upstream in 4.6.3. Mageia 7 is also affected.
Status comment: (none) => Fixed upstream in 4.6.3Whiteboard: (none) => MGA7TOOCC: (none) => nicolas.salguero
Assigning to Python stack maintainers, CC'ing PhilippeM registered maintainer.
Assignee: bugsquad => pythonCC: (none) => makowski.mageia
Fedora has issued an advisory for this on May 28: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/3C2R44VDUY7FJVMAVRZ2WY7XYL4SVN45/
Done for Cauldron, mga8 and mga7!
CC: (none) => geiger.david68210
RPMS: python2-lxml-4.3.0-1.3.mga7 python3-lxml-4.3.0-1.3.mga7 python-lxml-docs-4.3.0-1.3.mga7 python3-lxml-4.6.3-1.mga8 python-lxml-docs-4.6.3-1.mga8 from SRPMS: python-lxml-4.3.0-1.3.mga7.src.rpm python-lxml-4.6.3-1.mga8.src.rpm
Assignee: python => qa-bugsStatus comment: Fixed upstream in 4.6.3 => (none)
mga8, x64 https://bugzilla.redhat.com/show_bug.cgi?id=1941534 CVE-2021-28957 https://bugs.launchpad.net/lxml/+bug/1888153 This python script generates javascript for an X button. Running it produces HTML code which can be copied into a local file, say cleaner.html and accessed directly through a browser. That certainly works. from lxml.html.clean import Cleaner cleaner = Cleaner( forms=False, safe_attrs_only=False, ) print( cleaner.clean_html("""<form id="test"></form><button form="test" formaction="javascript:alert(1)">X</button>""") ) Output is: <div><form id="test"></form><button form="test" formaction="javascript:alert(1)">X</button></div> Updated the packages and ran it again. The output was: <div><form id="test"></form><button form="test" formaction="">X</button></div> which would paint a button with no response. This shows that the update addresses the Cleaner vulnerability.
CC: (none) => tarazed25
Continuing from comment 5, Calibre is one of the packages which requires libxml. Launched it to look at one of the PDF books in the library, added another from a local directory and attempted to convert another into EPUB2 format. Not sure if that succeeded. No regressions noted anyway. $ cat calibre.trace | grep openat | grep lxml openat(AT_FDCWD, "/usr/lib64/python3.8/site-packages/lxml/__pycache__/__init__.cpython-38.pyc", O_RDONLY|O_CLOEXEC) = 35 openat(AT_FDCWD, "/usr/lib64/python3.8/site-packages/lxml", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 35 [...] openat(AT_FDCWD, "/usr/lib64/python3.8/site-packages/lxml/html/__pycache__/builder.cpython-38.pyc", O_RDONLY|O_CLOEXEC) = 57 OK for mga8.
Whiteboard: MGA7TOO => MGA7TOO MGA8-64-OK
mga7, x64 Ran the PoC under python2 and python3. Both versions generated the same HTML before the update: <div><form id="test"></form><button form="test" formaction="javascript:alert(1)">X</button></div> Updated the packages and ran the PoC again: Both versions of python generated: <div><form id="test"></form><button form="test" formaction="">X</button></div> CVE-2021-28957 fix is in place. Calibre works fine after the update. Built library, viewd one book, deleted another. The trace showed that Calibre defaults to python2.7 in mga7, which makes sense. Giving this the go-ahead.
Whiteboard: MGA7TOO MGA8-64-OK => MGA7TOO MGA7-64-OK MGA8-64-OK
Validating.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Advisory: ======================== An XSS vulnerability was discovered in python-lxml’s clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML (CVE-2021-28957). References: - https://bugs.mageia.org/show_bug.cgi?id=28983 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28957 - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/3C2R44VDUY7FJVMAVRZ2WY7XYL4SVN45/ - https://www.debian.org/security/2021/dsa-4880 - https://ubuntu.com/security/notices/USN-4896-1 ======================== Updated package in 7/core/updates_testing: ======================== python2-lxml-4.3.0-1.3.mga7 python3-lxml-4.3.0-1.3.mga7 python-lxml-docs-4.3.0-1.3.mga7 from SRPM: python-lxml-4.3.0-1.3.mga7.src.rpm Updated package in 8/core/updates_testing: ======================== python3-lxml-4.6.3-1.mga8 python-lxml-docs-4.6.3-1.mga8 from SRPM: python-lxml-4.6.3-1.mga8.src.rpm
Keywords: (none) => advisoryCVE: (none) => CVE-2021-28957CC: (none) => ouaurelien
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0246.html
Status: NEW => RESOLVEDResolution: (none) => FIXED