Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 829053 (CVE-2021-43818, GHSL-2021-1037, GHSL-2021-1038)

Summary: <dev-python/lxml-4.6.5: multiple HTML cleaner script injection vulnerabilities
Product: Gentoo Security Reporter: Michał Górny <mgorny>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: python
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B4 [glsa+]
Package list:
Runtime testing required: ---
Bug Depends on: 829067    
Bug Blocks:    

Description Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2021-12-13 07:30:55 UTC 
4.6.5 (2021-12-12)
==================

Bugs fixed
----------

* A vulnerability (GHSL-2021-1038) in the HTML cleaner allowed sneaking script
  content through SVG images.

* A vulnerability (GHSL-2021-1037) in the HTML cleaner allowed sneaking script
  content through CSS imports and other crafted constructs.
Comment 1 Larry the Git Cow gentoo-dev 2021-12-13 15:33:33 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=41eaacb18bc5b898691a20acf9c58659716642a2

commit 41eaacb18bc5b898691a20acf9c58659716642a2
Author:     Arthur Zamarin <arthurzam@gentoo.org>
AuthorDate: 2021-12-13 15:32:26 +0000
Commit:     Arthur Zamarin <arthurzam@gentoo.org>
CommitDate: 2021-12-13 15:33:25 +0000

    dev-python/lxml: drop 4.6.4
    
    Bug: https://bugs.gentoo.org/829053
    Signed-off-by: Arthur Zamarin <arthurzam@gentoo.org>

 dev-python/lxml/Manifest          |  1 -
 dev-python/lxml/lxml-4.6.4.ebuild | 97 ---------------------------------------
 2 files changed, 98 deletions(-)
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-12-13 20:04:37 UTC 
Thank you!
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-09 23:05:38 UTC 
GLSA request filed.
Comment 4 Larry the Git Cow gentoo-dev 2022-08-10 04:18:18 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=00cb8ca9acda9480b2cbc77e709e6f1c6d0babf4

commit 00cb8ca9acda9480b2cbc77e709e6f1c6d0babf4
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-08-10 03:53:32 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-08-10 04:16:21 +0000

    [ GLSA 202208-06 ] lxml: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/777579
    Bug: https://bugs.gentoo.org/829053
    Bug: https://bugs.gentoo.org/856598
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202208-06.xml | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 48 insertions(+)
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-10 04:23:09 UTC 
GLSA released, all done!