Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 718656 (CVE-2018-5773, CVE-2020-11888) - <dev-python/markdown2-2.3.9: Multiple vulnerabilities (CVE-2018-5773, CVE-2020-11888)
Summary: <dev-python/markdown2-2.3.9: Multiple vulnerabilities (CVE-2018-5773, CVE-202...
Status: RESOLVED FIXED
Alias: CVE-2018-5773, CVE-2020-11888
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B4 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-04-20 16:53 UTC by Sam James
Modified: 2020-06-20 00:48 UTC (History)
3 users (show)

See Also:
Package list:
=dev-python/markdown2-2.3.9
Runtime testing required: ---
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-20 16:53:47 UTC
1) CVE-2020-11888

Description:
"python-markdown2 through 2.3.8 allows XSS because element names are mishandled unless a \w+ match succeeds. For example, an attack might use elementname@ or elementname- with an onclick attribute."

Bug (open): https://github.com/trentm/python-markdown2/issues/348

2) Miscellaneous XSS vulnerability

Patch (fixed in 2.3.7): https://github.com/trentm/python-markdown2/commit/c86fce76472a8bb0b94f5396b3ca8db7d3591bcd

3) CVE-2018-5773

Description:
"An issue was discovered in markdown2 (aka python-markdown2) through 2.3.5. The safe_mode feature, which is supposed to sanitize user input against XSS, is flawed and does not escape the input properly. With a crafted payload, XSS can be triggered, as demonstrated by omitting the final '>' character from an IMG tag."

Bug: https://github.com/trentm/python-markdown2/issues/285
Fixed in 2.3.6.

4) Hardening on safe_mode for links

Done in 2.3.4.

PR: https://github.com/trentm/python-markdown2/pull/230
PR: https://github.com/trentm/python-markdown2/pull/230
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-20 16:54:31 UTC
(In reply to Sam James (sec padawan) from comment #0)
> 1) CVE-2020-11888
> 
> Description:
> "python-markdown2 through 2.3.8 allows XSS because element names are
> mishandled unless a \w+ match succeeds. For example, an attack might use
> elementname@ or elementname- with an onclick attribute."
> 

We are pending a patch for this.
Comment 2 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2020-04-20 16:57:16 UTC
(In reply to Sam James (sec padawan) from comment #1)
> (In reply to Sam James (sec padawan) from comment #0)
> > 1) CVE-2020-11888
> > 
> > Description:
> > "python-markdown2 through 2.3.8 allows XSS because element names are
> > mishandled unless a \w+ match succeeds. For example, an attack might use
> > elementname@ or elementname- with an onclick attribute."
> > 
> 
> We are pending a patch for this.

Do you mean that it's not yet fixed upstream?  Should I bump to 2.3.8 anyway or wait for it?
Comment 3 Larry the Git Cow gentoo-dev 2020-04-21 09:16:38 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=000222a4a757c3321995860b56265c66116881ee

commit 000222a4a757c3321995860b56265c66116881ee
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2020-04-21 09:16:06 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2020-04-21 09:16:33 +0000

    dev-python/markdown2: Bump to 2.3.8
    
    Bug: https://bugs.gentoo.org/718656
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-python/markdown2/Manifest               |  1 +
 dev-python/markdown2/markdown2-2.3.8.ebuild | 30 +++++++++++++++++++++++++++++
 2 files changed, 31 insertions(+)
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-05-14 07:16:35 UTC
Let us know when ready for stabilisation. 2.3.9 seems to address all the issues now.
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-04 16:59:54 UTC
I'll add CC-ARCHES now but please remove/let me know if any objections.
Comment 6 Agostino Sarubbo gentoo-dev 2020-06-07 08:46:01 UTC
amd64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2020-06-07 08:49:20 UTC
x86 stable.

Maintainer(s), please cleanup.
Comment 8 Larry the Git Cow gentoo-dev 2020-06-20 00:48:34 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a44a4d2325ac35481227ddff0aea43e0edd34ee2

commit a44a4d2325ac35481227ddff0aea43e0edd34ee2
Author:     Aaron Bauman <bman@gentoo.org>
AuthorDate: 2020-06-20 00:47:47 +0000
Commit:     Aaron Bauman <bman@gentoo.org>
CommitDate: 2020-06-20 00:47:47 +0000

    dev-python/markdown2: drop vulnerable
    
    Bug: https://bugs.gentoo.org/718656
    Signed-off-by: Aaron Bauman <bman@gentoo.org>

 dev-python/markdown2/Manifest               |  2 --
 dev-python/markdown2/markdown2-2.3.0.ebuild | 32 -----------------------------
 dev-python/markdown2/markdown2-2.3.8.ebuild | 30 ---------------------------
 3 files changed, 64 deletions(-)