829053 – (CVE-2021-43818, GHSL-2021-1037, GHSL-2021-1038) <dev-python/lxml-4.6.5: multiple HTML cleaner script injection vulnerabilities

Bug 829053 (CVE-2021-43818, GHSL-2021-1037, GHSL-2021-1038) - <dev-python/lxml-4.6.5: multiple HTML cleaner script injection vulnerabilities

Summary: <dev-python/lxml-4.6.5: multiple HTML cleaner script injection vulnerabilities

Status:	RESOLVED FIXED

Alias:	CVE-2021-43818, GHSL-2021-1037, GHSL-2021-1038

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	B4 [glsa+]
Keywords:

Depends on:	829067
Blocks:
	Show dependency tree

Reported:	2021-12-13 07:30 UTC by Michał Górny
Modified:	2022-08-10 04:23 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michał Górny archtester

2021-12-13 07:30:55 UTC

4.6.5 (2021-12-12)
==================

Bugs fixed
----------

* A vulnerability (GHSL-2021-1038) in the HTML cleaner allowed sneaking script
  content through SVG images.

* A vulnerability (GHSL-2021-1037) in the HTML cleaner allowed sneaking script
  content through CSS imports and other crafted constructs.

Comment 1 Larry the Git Cow gentoo-dev

2021-12-13 15:33:33 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=41eaacb18bc5b898691a20acf9c58659716642a2

commit 41eaacb18bc5b898691a20acf9c58659716642a2
Author:     Arthur Zamarin <arthurzam@gentoo.org>
AuthorDate: 2021-12-13 15:32:26 +0000
Commit:     Arthur Zamarin <arthurzam@gentoo.org>
CommitDate: 2021-12-13 15:33:25 +0000

    dev-python/lxml: drop 4.6.4
    
    Bug: https://bugs.gentoo.org/829053
    Signed-off-by: Arthur Zamarin <arthurzam@gentoo.org>

 dev-python/lxml/Manifest          |  1 -
 dev-python/lxml/lxml-4.6.4.ebuild | 97 ---------------------------------------
 2 files changed, 98 deletions(-)

Comment 2 John Helmert III archtester

2021-12-13 20:04:37 UTC

Thank you!

Comment 3 John Helmert III archtester

2022-08-09 23:05:38 UTC

GLSA request filed.

Comment 4 Larry the Git Cow gentoo-dev

2022-08-10 04:18:18 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=00cb8ca9acda9480b2cbc77e709e6f1c6d0babf4

commit 00cb8ca9acda9480b2cbc77e709e6f1c6d0babf4
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-08-10 03:53:32 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-08-10 04:16:21 +0000

    [ GLSA 202208-06 ] lxml: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/777579
    Bug: https://bugs.gentoo.org/829053
    Bug: https://bugs.gentoo.org/856598
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202208-06.xml | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 48 insertions(+)

Comment 5 John Helmert III archtester

2022-08-10 04:23:09 UTC

GLSA released, all done!