Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 509134 (CVE-2014-3146) - <dev-python/lxml-3.3.5: Code injection via clean_html input sanitization (CVE-2014-3146)
Summary: <dev-python/lxml-3.3.5: Code injection via clean_html input sanitization (CVE...
Status: RESOLVED FIXED
Alias: CVE-2014-3146
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal enhancement (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-04-30 07:36 UTC by Agostino Sarubbo
Modified: 2014-06-29 20:57 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-04-30 07:36:59 UTC
From ${URL} :

The lxml.html.clean module cleans up HTML by removing embedded or script content, special tags, CSS style 
annotations and much more. It was found [1] that the clean_html() function, provided by the 
lxml.html.clean module, did not properly clean HTML input if it included non-printed characters 
(\x01-\x08). A remote attacker could use this flaw to serve malicious content to an application using the 
clean_html() function to process HTML, possibly allowing the attacker to inject malicious code into a 
website generated by this application.

This issue has been reported upstream at [2] and a patch is available at [3].

[1] http://seclists.org/fulldisclosure/2014/Apr/210
[2] https://mailman-mail5.webfaction.com/pipermail/lxml/2014-April/007128.html
[3] https://github.com/lxml/lxml/commit/e86b294f1f81b899a59925123560ff924a72f1cc


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Ian Delaney (RETIRED) gentoo-dev 2014-05-03 04:56:23 UTC
There are no < 16 current versions of lxml with 3 made stable. The most recently bumped has this patch in place.  Just how do you suggest clean up in this instance?  I see no reference to effected version are da da da da.
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2014-05-04 21:49:25 UTC
(In reply to Ian Delaney from comment #1)
> There are no < 16 current versions of lxml with 3 made stable. The most
> recently bumped has this patch in place.  Just how do you suggest clean up
> in this instance?  I see no reference to effected version are da da da da.

From the pages doing a search, it looks like all the previous versions other then dev-python/lxml-3.3.5 have this vulnerability. Without examining the code it looks like the  stable versions: 3.3.0, 3.2.1, 3.0.1, and maybe even 2.3.4 are affected.

If testing is sufficiently done, then we would stabilize 3.3.5, and during the cleanup stage remove all previous versions if there are no objections, or breaking of packages. This is a B4 bug which means by policy that we have 20 days to fix.
Comment 3 Ian Delaney (RETIRED) gentoo-dev 2014-05-05 02:24:30 UTC
If testing is sufficiently done, Hmmm ok.  Well you have some days left in the 20 to receive any further input re further testing.  From here I see no reason not to go straight to making the only patched version lxml-3.3.5 stable and clean accordingly.  Let's see if there are any who differ prior to CC'ing arches.
Comment 4 Mike Gilbert gentoo-dev 2014-05-05 02:56:14 UTC
Sounds fine to me.
Comment 5 Ian Delaney (RETIRED) gentoo-dev 2014-05-05 14:45:14 UTC
Arch teams please make stable lxml-3.3.5

alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2014-05-05 15:34:07 UTC
(In reply to Ian Delaney from comment #5)
> Arch teams please make stable lxml-3.3.5
> 
> alpha amd64 arm hppa ia64 ppc ppc64 sparc x86

No. Do something like this:

Arch teams, please test and mark stable:
=dev-python/lxml-3.3.5
Targeted stable KEYWORDS : alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2014-05-05 22:11:33 UTC
Stable for HPPA.
Comment 8 Agostino Sarubbo gentoo-dev 2014-05-07 15:24:32 UTC
amd64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2014-05-07 15:25:23 UTC
x86 stable
Comment 10 Agostino Sarubbo gentoo-dev 2014-05-10 14:02:37 UTC
ppc stable
Comment 11 Agostino Sarubbo gentoo-dev 2014-05-11 08:05:55 UTC
ppc64 stable
Comment 12 Agostino Sarubbo gentoo-dev 2014-05-13 15:21:54 UTC
ia64 stable
Comment 13 Agostino Sarubbo gentoo-dev 2014-05-14 16:12:04 UTC
sparc stable
Comment 14 Markus Meier gentoo-dev 2014-05-15 20:04:22 UTC
arm stable
Comment 15 Agostino Sarubbo gentoo-dev 2014-05-17 13:51:11 UTC
alpha stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 16 Yury German Gentoo Infrastructure gentoo-dev 2014-06-10 01:31:59 UTC
(In reply to Ian Delaney from comment #3)
> If testing is sufficiently done, Hmmm ok.  Well you have some days left in
> the 20 to receive any further input re further testing.  From here I see no
> reason not to go straight to making the only patched version lxml-3.3.5
> stable and clean accordingly.  Let's see if there are any who differ prior
> to CC'ing arches.

Ok We have been stable for 20+ days .. I see no bugs files. So lets clean up as per this comment please.

Maintainer(s), please drop the vulnerable version.
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2014-06-16 05:31:40 UTC
CVE-2014-3146 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3146):
  Incomplete blacklist vulnerability in the lxml.html.clean module in lxml
  before 3.3.5 allows remote attackers to conduct cross-site scripting (XSS)
  attacks via control characters in the link scheme to the clean_html
  function.
Comment 18 Yury German Gentoo Infrastructure gentoo-dev 2014-06-16 05:33:15 UTC
Maintainer(s), Thank you for cleanup!

GLSA Vote: No
Comment 19 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2014-06-29 20:57:57 UTC
GLSA vote: no.

Closing as [noglsa]