635270 – (CVE-2017-15612) <dev-python/mistune-0.8.3: XSS via an unexpected newline / crafted email address

Bug 635270 (CVE-2017-15612) - <dev-python/mistune-0.8.3: XSS via an unexpected newline / crafted email address

Summary: <dev-python/mistune-0.8.3: XSS via an unexpected newline / crafted email address

Status:	RESOLVED FIXED

Alias:	CVE-2017-15612

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	https://bugzilla.redhat.com/show_bug....
Whiteboard:	B4 [noglsa cve]
Keywords:

Depends on:
Blocks:

Reported:	2017-10-24 06:44 UTC by Agostino Sarubbo
Modified:	2018-09-25 01:51 UTC (History)
CC List:	1 user (show)

See Also:	CVE-2017-16876
Package list:	dev-python/mistune-0.8.3
Runtime testing required:	---

Flags:	stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Agostino Sarubbo gentoo-dev

2017-10-24 06:44:00 UTC

From ${URL} :

mistune.py in Mistune 0.7.4 allows XSS via an unexpected newline (such as in java\nscript:) or a crafted email address, related to the escape and autolink functions.

Pull request:

https://github.com/lepture/mistune/pull/140


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.

Comment 1 Aaron Bauman (RETIRED) gentoo-dev

2018-01-19 14:26:17 UTC

A fix for CVE-2017-15612 is contained in upstream's 0.8 version release.  Please bump the package to the latest version as it contains additional security fixes.

https://github.com/lepture/mistune/blob/master/CHANGES.rst

Comment 2 Larry the Git Cow gentoo-dev

2018-09-19 15:24:46 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0fe68a60852a6935b9d93bca2c5708409f963d3e

commit 0fe68a60852a6935b9d93bca2c5708409f963d3e
Author:     Virgil Dupras <vdupras@gentoo.org>
AuthorDate: 2018-09-19 15:24:32 +0000
Commit:     Virgil Dupras <vdupras@gentoo.org>
CommitDate: 2018-09-19 15:24:32 +0000

    dev-python/mistune: vump to 0.8.3
    
    Bug: https://bugs.gentoo.org/639298
    Bug: https://bugs.gentoo.org/635270
    Package-Manager: Portage-2.3.49, Repoman-2.3.10

 dev-python/mistune/Manifest             |  1 +
 dev-python/mistune/mistune-0.8.3.ebuild | 28 ++++++++++++++++++++++++++++
 2 files changed, 29 insertions(+)

Comment 3 Virgil Dupras (RETIRED) gentoo-dev

2018-09-19 15:28:13 UTC

Bump made. amd64, x86, arm, please stabilize dev-python/mistune-0.8.3.

Comment 4 Agostino Sarubbo gentoo-dev

2018-09-21 07:42:09 UTC

amd64 stable

Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev

2018-09-24 01:52:19 UTC

x86 stable

Comment 6 Markus Meier gentoo-dev

2018-09-24 18:13:36 UTC

arm stable, all arches done.

Comment 7 Larry the Git Cow gentoo-dev

2018-09-24 18:21:04 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7d0b4149e7c9f43f38a7174ca5c0f9113a2d24b2

commit 7d0b4149e7c9f43f38a7174ca5c0f9113a2d24b2
Author:     Virgil Dupras <vdupras@gentoo.org>
AuthorDate: 2018-09-24 18:20:51 +0000
Commit:     Virgil Dupras <vdupras@gentoo.org>
CommitDate: 2018-09-24 18:20:51 +0000

    dev-python/mistune: remove old and vulnerable
    
    Bug: https://bugs.gentoo.org/635270
    Package-Manager: Portage-2.3.49, Repoman-2.3.10

 dev-python/mistune/Manifest             |  2 --
 dev-python/mistune/mistune-0.7.2.ebuild | 28 ----------------------------
 dev-python/mistune/mistune-0.7.4.ebuild | 28 ----------------------------
 3 files changed, 58 deletions(-)

Comment 8 Virgil Dupras (RETIRED) gentoo-dev

2018-09-24 18:23:28 UTC

Cleanup done.

Comment 9 Thomas Deutschmann (RETIRED) gentoo-dev

2018-09-25 01:51:38 UTC

GLSA Vote: No.

Repository is clean, all done.