Summary: | <dev-python/lxml-3.3.5: Code injection via clean_html input sanitization (CVE-2014-3146) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | enhancement | CC: | python |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1092613 | ||
Whiteboard: | B4 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2014-04-30 07:36:59 UTC
There are no < 16 current versions of lxml with 3 made stable. The most recently bumped has this patch in place. Just how do you suggest clean up in this instance? I see no reference to effected version are da da da da. (In reply to Ian Delaney from comment #1) > There are no < 16 current versions of lxml with 3 made stable. The most > recently bumped has this patch in place. Just how do you suggest clean up > in this instance? I see no reference to effected version are da da da da. From the pages doing a search, it looks like all the previous versions other then dev-python/lxml-3.3.5 have this vulnerability. Without examining the code it looks like the stable versions: 3.3.0, 3.2.1, 3.0.1, and maybe even 2.3.4 are affected. If testing is sufficiently done, then we would stabilize 3.3.5, and during the cleanup stage remove all previous versions if there are no objections, or breaking of packages. This is a B4 bug which means by policy that we have 20 days to fix. If testing is sufficiently done, Hmmm ok. Well you have some days left in the 20 to receive any further input re further testing. From here I see no reason not to go straight to making the only patched version lxml-3.3.5 stable and clean accordingly. Let's see if there are any who differ prior to CC'ing arches. Sounds fine to me. Arch teams please make stable lxml-3.3.5 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86 (In reply to Ian Delaney from comment #5) > Arch teams please make stable lxml-3.3.5 > > alpha amd64 arm hppa ia64 ppc ppc64 sparc x86 No. Do something like this: Arch teams, please test and mark stable: =dev-python/lxml-3.3.5 Targeted stable KEYWORDS : alpha amd64 arm hppa ia64 ppc ppc64 sparc x86 Stable for HPPA. amd64 stable x86 stable ppc stable ppc64 stable ia64 stable sparc stable arm stable alpha stable. Maintainer(s), please cleanup. Security, please vote. (In reply to Ian Delaney from comment #3) > If testing is sufficiently done, Hmmm ok. Well you have some days left in > the 20 to receive any further input re further testing. From here I see no > reason not to go straight to making the only patched version lxml-3.3.5 > stable and clean accordingly. Let's see if there are any who differ prior > to CC'ing arches. Ok We have been stable for 20+ days .. I see no bugs files. So lets clean up as per this comment please. Maintainer(s), please drop the vulnerable version. CVE-2014-3146 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3146): Incomplete blacklist vulnerability in the lxml.html.clean module in lxml before 3.3.5 allows remote attackers to conduct cross-site scripting (XSS) attacks via control characters in the link scheme to the clean_html function. Maintainer(s), Thank you for cleanup! GLSA Vote: No GLSA vote: no. Closing as [noglsa] |