1) CVE-2020-11888 Description: "python-markdown2 through 2.3.8 allows XSS because element names are mishandled unless a \w+ match succeeds. For example, an attack might use elementname@ or elementname- with an onclick attribute." Bug (open): https://github.com/trentm/python-markdown2/issues/348 2) Miscellaneous XSS vulnerability Patch (fixed in 2.3.7): https://github.com/trentm/python-markdown2/commit/c86fce76472a8bb0b94f5396b3ca8db7d3591bcd 3) CVE-2018-5773 Description: "An issue was discovered in markdown2 (aka python-markdown2) through 2.3.5. The safe_mode feature, which is supposed to sanitize user input against XSS, is flawed and does not escape the input properly. With a crafted payload, XSS can be triggered, as demonstrated by omitting the final '>' character from an IMG tag." Bug: https://github.com/trentm/python-markdown2/issues/285 Fixed in 2.3.6. 4) Hardening on safe_mode for links Done in 2.3.4. PR: https://github.com/trentm/python-markdown2/pull/230 PR: https://github.com/trentm/python-markdown2/pull/230
(In reply to Sam James (sec padawan) from comment #0) > 1) CVE-2020-11888 > > Description: > "python-markdown2 through 2.3.8 allows XSS because element names are > mishandled unless a \w+ match succeeds. For example, an attack might use > elementname@ or elementname- with an onclick attribute." > We are pending a patch for this.
(In reply to Sam James (sec padawan) from comment #1) > (In reply to Sam James (sec padawan) from comment #0) > > 1) CVE-2020-11888 > > > > Description: > > "python-markdown2 through 2.3.8 allows XSS because element names are > > mishandled unless a \w+ match succeeds. For example, an attack might use > > elementname@ or elementname- with an onclick attribute." > > > > We are pending a patch for this. Do you mean that it's not yet fixed upstream? Should I bump to 2.3.8 anyway or wait for it?
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=000222a4a757c3321995860b56265c66116881ee commit 000222a4a757c3321995860b56265c66116881ee Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2020-04-21 09:16:06 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2020-04-21 09:16:33 +0000 dev-python/markdown2: Bump to 2.3.8 Bug: https://bugs.gentoo.org/718656 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-python/markdown2/Manifest | 1 + dev-python/markdown2/markdown2-2.3.8.ebuild | 30 +++++++++++++++++++++++++++++ 2 files changed, 31 insertions(+)
Let us know when ready for stabilisation. 2.3.9 seems to address all the issues now.
I'll add CC-ARCHES now but please remove/let me know if any objections.
amd64 stable
x86 stable. Maintainer(s), please cleanup.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a44a4d2325ac35481227ddff0aea43e0edd34ee2 commit a44a4d2325ac35481227ddff0aea43e0edd34ee2 Author: Aaron Bauman <bman@gentoo.org> AuthorDate: 2020-06-20 00:47:47 +0000 Commit: Aaron Bauman <bman@gentoo.org> CommitDate: 2020-06-20 00:47:47 +0000 dev-python/markdown2: drop vulnerable Bug: https://bugs.gentoo.org/718656 Signed-off-by: Aaron Bauman <bman@gentoo.org> dev-python/markdown2/Manifest | 2 -- dev-python/markdown2/markdown2-2.3.0.ebuild | 32 ----------------------------- dev-python/markdown2/markdown2-2.3.8.ebuild | 30 --------------------------- 3 files changed, 64 deletions(-)
