Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 672874 (CVE-2018-19787) - <dev-python/lxml-4.2.5: XSS attack (CVE-2018-19787)
Summary: <dev-python/lxml-4.2.5: XSS attack (CVE-2018-19787)
Status: RESOLVED FIXED
Alias: CVE-2018-19787
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://github.com/lxml/lxml/commit/6...
Whiteboard: B4 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2018-12-10 13:53 UTC by Vlad K.
Modified: 2019-03-10 03:48 UTC (History)
1 user (show)

See Also:
Package list:
dev-python/lxml-4.2.5
Runtime testing required: ---
stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Vlad K. 2018-12-10 13:53:59 UTC 
* CVE 2018-19787

  https://github.com/lxml/lxml/commit/6be1d081b49c97cfd7b3fbd934a193b668629109

  "An issue was discovered in lxml before 4.2.5. lxml/html/clean.py in the
  lxml.html.clean module does not remove javascript: URLs that use escaping,
  allowing a remote attacker to conduct XSS attacks, as demonstrated by
  'j a v a s c r i p t:' in Internet Explorer. This is a similar issue to
  CVE-2014-3146." -- CVE listing
Comment 1 Vlad K. 2018-12-10 14:04:46 UTC 
Appears fixed in 4.2.5, so I suppose a call to stabilize dev-python/lxml-4.2.5 would be in order.

* https://github.com/lxml/lxml/blob/master/CHANGES.txt#L44


--
Gentoo Security Scout
Vladimir Krstulja
Comment 2 Virgil Dupras (RETIRED) gentoo-dev 2018-12-10 14:16:40 UTC 
Arches, please stabilize.
Comment 3 Sergei Trofimovich (RETIRED) gentoo-dev 2018-12-11 23:49:25 UTC 
ia64/ppc/ppc64 stable
Comment 4 Rolf Eike Beer archtester 2018-12-12 20:00:05 UTC 
sparc stable
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2018-12-13 12:53:00 UTC 
x86 stable
Comment 6 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2018-12-13 15:30:54 UTC 
amd64 stable
Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev 2018-12-15 23:29:11 UTC 
hppa stable
Comment 8 Matt Turner gentoo-dev 2018-12-22 17:42:33 UTC 
alpha stable
Comment 9 Markus Meier gentoo-dev 2019-01-02 12:16:54 UTC 
arm stable
Comment 10 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-01-04 22:31:34 UTC 
s390 stable
Comment 11 Mart Raudsepp gentoo-dev 2019-01-06 12:45:38 UTC 
arm64 stable
Comment 12 Larry the Git Cow gentoo-dev 2019-01-07 20:44:52 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5017aebd8f4aaa096076cdde32a039188b6702b6

commit 5017aebd8f4aaa096076cdde32a039188b6702b6
Author:     Virgil Dupras <vdupras@gentoo.org>
AuthorDate: 2019-01-07 20:44:33 +0000
Commit:     Virgil Dupras <vdupras@gentoo.org>
CommitDate: 2019-01-07 20:44:33 +0000

    dev-python/lxml: remove old
    
    Bug: https://bugs.gentoo.org/672874
    Signed-off-by: Virgil Dupras <vdupras@gentoo.org>
    Package-Manager: Portage-2.3.51, Repoman-2.3.11

 dev-python/lxml/Manifest                           |  2 -
 .../lxml/files/lxml-3.6.4-fix-test_xmlschema.patch | 36 ----------
 dev-python/lxml/lxml-4.1.1.ebuild                  | 80 ---------------------
 dev-python/lxml/lxml-4.2.6.ebuild                  | 82 ----------------------
 4 files changed, 200 deletions(-)
Comment 13 Virgil Dupras (RETIRED) gentoo-dev 2019-01-07 20:45:45 UTC 
Cleanup done.