Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 672874 (CVE-2018-19787)

Summary: <dev-python/lxml-4.2.5: XSS attack (CVE-2018-19787)
Product: Gentoo Security Reporter: Vlad K. <vk-gentoo-bugs>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: python
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/lxml/lxml/commit/6be1d081b49c97cfd7b3fbd934a193b668629109
See Also: https://bugs.gentoo.org/show_bug.cgi?id=509134
Whiteboard: B4 [noglsa cve]
Package list:
dev-python/lxml-4.2.5
 Runtime testing required: ---

Description Vlad K. 2018-12-10 13:53:59 UTC 
* CVE 2018-19787

  https://github.com/lxml/lxml/commit/6be1d081b49c97cfd7b3fbd934a193b668629109

  "An issue was discovered in lxml before 4.2.5. lxml/html/clean.py in the
  lxml.html.clean module does not remove javascript: URLs that use escaping,
  allowing a remote attacker to conduct XSS attacks, as demonstrated by
  'j a v a s c r i p t:' in Internet Explorer. This is a similar issue to
  CVE-2014-3146." -- CVE listing
Comment 1 Vlad K. 2018-12-10 14:04:46 UTC 
Appears fixed in 4.2.5, so I suppose a call to stabilize dev-python/lxml-4.2.5 would be in order.

* https://github.com/lxml/lxml/blob/master/CHANGES.txt#L44


--
Gentoo Security Scout
Vladimir Krstulja
Comment 2 Virgil Dupras (RETIRED) gentoo-dev 2018-12-10 14:16:40 UTC 
Arches, please stabilize.
Comment 3 Sergei Trofimovich (RETIRED) gentoo-dev 2018-12-11 23:49:25 UTC 
ia64/ppc/ppc64 stable
Comment 4 Rolf Eike Beer archtester 2018-12-12 20:00:05 UTC 
sparc stable
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2018-12-13 12:53:00 UTC 
x86 stable
Comment 6 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2018-12-13 15:30:54 UTC 
amd64 stable
Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev 2018-12-15 23:29:11 UTC 
hppa stable
Comment 8 Matt Turner gentoo-dev 2018-12-22 17:42:33 UTC 
alpha stable
Comment 9 Markus Meier gentoo-dev 2019-01-02 12:16:54 UTC 
arm stable
Comment 10 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-01-04 22:31:34 UTC 
s390 stable
Comment 11 Mart Raudsepp gentoo-dev 2019-01-06 12:45:38 UTC 
arm64 stable
Comment 12 Larry the Git Cow gentoo-dev 2019-01-07 20:44:52 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5017aebd8f4aaa096076cdde32a039188b6702b6

commit 5017aebd8f4aaa096076cdde32a039188b6702b6
Author:     Virgil Dupras <vdupras@gentoo.org>
AuthorDate: 2019-01-07 20:44:33 +0000
Commit:     Virgil Dupras <vdupras@gentoo.org>
CommitDate: 2019-01-07 20:44:33 +0000

    dev-python/lxml: remove old
    
    Bug: https://bugs.gentoo.org/672874
    Signed-off-by: Virgil Dupras <vdupras@gentoo.org>
    Package-Manager: Portage-2.3.51, Repoman-2.3.11

 dev-python/lxml/Manifest                           |  2 -
 .../lxml/files/lxml-3.6.4-fix-test_xmlschema.patch | 36 ----------
 dev-python/lxml/lxml-4.1.1.ebuild                  | 80 ---------------------
 dev-python/lxml/lxml-4.2.6.ebuild                  | 82 ----------------------
 4 files changed, 200 deletions(-)
Comment 13 Virgil Dupras (RETIRED) gentoo-dev 2019-01-07 20:45:45 UTC 
Cleanup done.