Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 715058 (CVE-2020-6817) - <dev-python/bleach-3.1.4: vulnerable to ReDoS
Summary: <dev-python/bleach-3.1.4: vulnerable to ReDoS
Status: RESOLVED FIXED
Alias: CVE-2020-6817
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://github.com/mozilla/bleach/blo...
Whiteboard: B3 [noglsa]
Keywords:
Depends on: 710148
Blocks:
  Show dependency tree
 
Reported: 2020-03-27 15:24 UTC by Sebastian Pipping
Modified: 2020-03-30 19:42 UTC (History)
1 user (show)

See Also:
Package list:
dev-python/bleach-3.1.4
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sebastian Pipping gentoo-dev 2020-03-27 15:24:42 UTC
Notes:
- Does not have a known CVE yet but will: https://github.com/mozilla/bleach/issues/527
- The fix seems to be part of commit https://github.com/mozilla/bleach/commit/d6018f2539d271963c3e7f54f36ef11900363c69
- That fix has backwards-incompatible effects to my best knowledge

How should we continue?
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-27 16:26:42 UTC
Thanks for chasing it upstream.

I guess let's proceed like normal -- if you like, some ewarn could be added for a bit when people upgrade rather than a fresh install.

So, are you ready for stabilisation (you may ofc call yourself too)?
Comment 2 Sebastian Pipping gentoo-dev 2020-03-27 16:59:18 UTC
(In reply to Sam James (sam_c) (security padawan) from comment #1)
> So, are you ready for stabilisation (you may ofc call yourself too)?

There are known failing tests for all version of bleach (bug #710148) and we're stabilizing bleach 3.1.3 in bug #714596 right now.  I don't want to advise against making 3.1.4 stable but I'm at least reluctant to advise for it.
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-28 07:20:00 UTC
(In reply to Sebastian Pipping from comment #2)
> (In reply to Sam James (sam_c) (security padawan) from comment #1)
> > So, are you ready for stabilisation (you may ofc call yourself too)?
> 
> There are known failing tests for all version of bleach (bug #710148) and
> we're stabilizing bleach 3.1.3 in bug #714596 right now.  I don't want to
> advise against making 3.1.4 stable but I'm at least reluctant to advise for
> it.

Let's wait until Python 3.7.7 is stable (bug 715124).
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-28 07:25:31 UTC
(In reply to Sam James (sam_c) (security padawan) from comment #3)
> (In reply to Sebastian Pipping from comment #2)
> > (In reply to Sam James (sam_c) (security padawan) from comment #1)
> > > So, are you ready for stabilisation (you may ofc call yourself too)?
> > 
> > There are known failing tests for all version of bleach (bug #710148) and
> > we're stabilizing bleach 3.1.3 in bug #714596 right now.  I don't want to
> > advise against making 3.1.4 stable but I'm at least reluctant to advise for
> > it.
> 
> Let's wait until Python 3.7.7 is stable (bug 715124).

Actually, on second thought: this is an issue which will affect users of bleach too on buggy Python versions.

It's unrelated to the stabilisation of a newer bleach, right?
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-30 14:47:28 UTC
The test failure bug has now been closed because it was due to the Python version.

Are we alright to stabilise now, given it was independent of bleach? Thanks!
Comment 6 Sebastian Pipping gentoo-dev 2020-03-30 16:51:01 UTC
(In reply to Sam James (sam_c) (security padawan) from comment #5)
> The test failure bug has now been closed because it was due to the Python
> version.
> 
> Are we alright to stabilise now, given it was independent of bleach? Thanks!

Given https://bugs.gentoo.org/714596#h4 and the fact that we still have 3.1.3 around I think it's fair to continue.  Adding arches now…
Comment 7 Mart Raudsepp gentoo-dev 2020-03-30 17:31:17 UTC
arm64 stable; amd64 arm ia64 ppc ppc64 x86 hppa s390 sparc ALLARCHES stable
Comment 8 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2020-03-30 17:41:42 UTC
Cleanup done.

GLSA vote: No.