Bug 28986 - python-bleach new security issue CVE-2021-23980
Summary: python-bleach new security issue CVE-2021-23980
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7TOO MGA7-64-OK MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2021-05-28 22:13 CEST by David Walser
Modified: 2021-06-16 22:24 CEST (History)
7 users (show)

See Also:
Source RPM: python-bleach-3.2.1-1.mga8.src.rpm
CVE: CVE-2021-23980
Status comment:


Attachments

Description David Walser 2021-05-28 22:13:48 CEST
Debian has issued an advisory on April 18:
https://www.debian.org/security/2021/dsa-4892

The issue is fixed upstream in 3.3.0:
https://github.com/mozilla/bleach/security/advisories/GHSA-vv2x-vrpj-qqpq

Mageia 7 is also affected.
David Walser 2021-05-28 22:14:04 CEST

CC: (none) => nicolas.salguero
Whiteboard: (none) => MGA7TOO
Status comment: (none) => Fixed upstream in 3.3.0

Comment 1 Lewis Smith 2021-05-29 20:28:59 CEST
Assigning to Python group; CC'ing Joseph (registered maintainer) in hope.

Assignee: bugsquad => python
CC: (none) => joequant

Comment 2 David Walser 2021-05-30 22:30:58 CEST
openSUSE has issued an advisory for this on April 14:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/YFAKMJGUZHUTZ53ZAID6PRVP5MSLXPGV/
Comment 3 David GEIGER 2021-06-07 09:49:54 CEST
Done for mga8 and mga7!

CC: (none) => geiger.david68210

Comment 4 David Walser 2021-06-09 01:27:19 CEST
RPMS:
python2-bleach-3.1.4-1.1.mga7
python3-bleach-3.1.4-1.1.mga7
python3-bleach-3.3.0-1.mga8

from SRPMS:
python-bleach-3.1.4-1.1.mga7.src.rpm
python-bleach-3.3.0-1.mga8.src.rpm

Status comment: Fixed upstream in 3.3.0 => (none)
Assignee: python => qa-bugs

Comment 5 Len Lawrence 2021-06-12 18:11:25 CEST
mga8, x64

Harking back to bug 26445, this looks very difficult to test, but there may be a PoC at https://bugzilla.mozilla.org/show_bug.cgi?id=1689399

If this goes anywhere shall report back and update and test again.  Otherwise the default option.

CC: (none) => tarazed25

Comment 6 Len Lawrence 2021-06-12 19:29:41 CEST
If you run this code:

import bleach
print( bleach.__version__ )
html = '<math></p><style><!--</style><img src/onerror=alert(1)>'
e = bleach.clean( html, tags=['math', 'p', 'style'], strip_comments=False )
print( e )

the output is:

<math><p></p><style><!--</style><img src/onerror=alert(1)>--></style></math>

Copy that into poc.html and navigate from a browser to that file;
e.g. file:///home/lcl/qa/python/bleach/poc.html.
That presents a --> symbol with an alert box containing 1 and an OK button which clears the alert.

Updated the package and ran the poc test again.
$ python3 poc.py
3.3.0
<math><p></p><style><!--&lt;/style&gt;&lt;img src/onerror=alert(1)&gt;--></style></math>

Modified the poc.html file and presented it to a browser again.  That shows a blank page.

Cannot say that I fully understand the point of this but it is probably a good result.

No point in proceeding any further with this without knowing what we are doing so passing this on the basis of a clean update and a possibly successful poc test.

Whiteboard: MGA7TOO => MGA7TOO MGA8-64-OK

Comment 7 Len Lawrence 2021-06-14 09:43:33 CEST
mga7, x64

Referring to comment 6, ran the poc tests for python2 and python3 and saw exactly the same results as reported before and after the updates.

Giving this an OK on the same grounds as the mga8 test.

Whiteboard: MGA7TOO MGA8-64-OK => MGA7TOO MGA7-64-OK MGA8-64-OK

Comment 8 Thomas Andrews 2021-06-14 20:53:26 CEST
Sometimes that's all we can do, Len. Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 9 Aurelien Oudelet 2021-06-15 21:50:18 CEST
Advisory:
========================

Updated python-bleach packages fix a security vulnerability:

It was reported that python-bleach, a whitelist-based HTML-sanitizing library, is prone to a mutation XSS vulnerability in bleach.clean when "svg" or "math" are in the allowed tags, 'p' or "br" are in allowed tags, "style", "title", "noscript", "script", "textarea", "noframes", "iframe", or "xmp" are in allowed tags and 'strip_comments=False' is set (CVE-2021-23980).

References:
 - https://bugs.mageia.org/show_bug.cgi?id=28986
 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23980
 - https://www.debian.org/security/2021/dsa-4892.en.html
 - https://github.com/mozilla/bleach/security/advisories/GHSA-vv2x-vrpj-qqpq
- https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/YFAKMJGUZHUTZ53ZAID6PRVP5MSLXPGV/
========================

Updated packages in 7/core/updates_testing:
========================
python2-bleach-3.1.4-1.1.mga7
python3-bleach-3.1.4-1.1.mga7

from SRPMS:
python-bleach-3.1.4-1.1.mga7.src.rpm

========================

Updated packages in 8/core/updates_testing:
========================
python3-bleach-3.3.0-1.mga8

from SRPM:
python-bleach-3.3.0-1.mga8.src.rpm

CC: (none) => ouaurelien
Keywords: (none) => advisory
CVE: (none) => CVE-2021-23980

Comment 10 Mageia Robot 2021-06-16 22:24:05 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0260.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.