GNU bug report logs

#47319 python-lxml is vulnerable to CVE-2021-28957

Package	Source(s)		Maintainer(s)
guix		PTS Buildd Popcon

Reported by Léo Le Bouter <lle-bout@zaclys.net>
Date 2021-03-22T14:10:02
Severity normal
Tags security
Done Maxim Cournoyer <maxim.cournoyer@gmail.com>
Bug is Archived

Reply or subscribe to this bug. View this bug as an mbox, status mbox, or maintainer mbox

Report forwarded to bug-guix@gnu.org:
bug#47319; Package guix. (Mon, 22 Mar 2021 14:10:02 GMT) (full text, mbox, link).

Acknowledgement sent to Léo Le Bouter <lle-bout@zaclys.net>:
New bug report received and forwarded. Copy sent to bug-guix@gnu.org. (Mon, 22 Mar 2021 14:10:02 GMT) (full text, mbox, link).

Message #5 received at submit@debbugs.gnu.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

CVE-2021-28957	21.03.21 06:15
lxml 4.6.2 places the HTML action attribute into defs.link_attrs (in
html/defs.py) for later use in input sanitization, but does not do the
same for the HTML5 formaction attribute.

Upstream fixed it in 4.6.3 (
https://github.com/lxml/lxml/commit/2d01a1ba8984e0483ce6619b972832377f208a0d
), so we should probably upgrade to that.

Has lots of dependents so I suppose it needs grafting? Is that useful
and does it work for Python packages?

Léo

[signature.asc (application/pgp-signature, inline)]

Added tag(s) security. Request was from Léo Le Bouter <lle-bout@zaclys.net> to control@debbugs.gnu.org. (Mon, 22 Mar 2021 14:11:01 GMT) (full text, mbox, link).

Information forwarded to bug-guix@gnu.org:
bug#47319; Package guix. (Tue, 23 Mar 2021 15:31:01 GMT) (full text, mbox, link).

Message #10 received at 47319@debbugs.gnu.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

I pushed a9d540cfa87ef3a5de3296188f650fb0d037efbd on core-updates, how
to fix it on master considering the amount of dependents remains to be
agreed on.

[signature.asc (application/pgp-signature, inline)]

Information forwarded to bug-guix@gnu.org:
bug#47319; Package guix. (Tue, 23 Mar 2021 17:56:02 GMT) (full text, mbox, link).

Message #13 received at submit@debbugs.gnu.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On Mon, Mar 22, 2021 at 03:09:24PM +0100, Léo Le Bouter via Bug reports for GNU Guix wrote:
> CVE-2021-28957	21.03.21 06:15
> lxml 4.6.2 places the HTML action attribute into defs.link_attrs (in
> html/defs.py) for later use in input sanitization, but does not do the
> same for the HTML5 formaction attribute.

Thanks for the notification.

I checked on some other distros that, like us, try to avoid major
updates of packages with a lot of dependents:

https://security-tracker.debian.org/tracker/CVE-2021-28957
https://access.redhat.com/security/cve/cve-2021-28957

So, both Debian and Red Hat are still shipping the vulnerable packages.
At least, we are in good company. We would monitor the Debian page and
copy their patch, if they decide to fix the bug.

> Upstream fixed it in 4.6.3 (
> https://github.com/lxml/lxml/commit/2d01a1ba8984e0483ce6619b972832377f208a0d
> ), so we should probably upgrade to that.
> 
> Has lots of dependents so I suppose it needs grafting? Is that useful
> and does it work for Python packages?

Grafting Python packages is not something we've done in the past, as far
as I can tell from reading the Git log, although I don't recall know if
it works or not.

[signature.asc (application/pgp-signature, inline)]

Information forwarded to bug-guix@gnu.org:
bug#47319; Package guix. (Tue, 23 Mar 2021 17:56:02 GMT) (full text, mbox, link).

Information forwarded to bug-guix@gnu.org:
bug#47319; Package guix. (Mon, 05 Apr 2021 23:57:01 GMT) (full text, mbox, link).

Message #19 received at 47319@debbugs.gnu.org (full text, mbox, reply):

Leo Famulari <leo@famulari.name> writes:

> On Mon, Mar 22, 2021 at 03:09:24PM +0100, Léo Le Bouter via Bug reports for GNU Guix wrote:
>> Has lots of dependents so I suppose it needs grafting? Is that useful
>> and does it work for Python packages?
>
> Grafting Python packages is not something we've done in the past, as far
> as I can tell from reading the Git log, although I don't recall know if
> it works or not.

I see no reason why grafting a python package wouldn't work, although
admittedly my knowledge of Python is weak.

      Mark

Reply sent to Maxim Cournoyer <maxim.cournoyer@gmail.com>:
You have taken responsibility. (Wed, 23 Mar 2022 02:34:02 GMT) (full text, mbox, link).

Notification sent to Léo Le Bouter <lle-bout@zaclys.net>:
bug acknowledged by developer. (Wed, 23 Mar 2022 02:34:02 GMT) (full text, mbox, link).

Message #24 received at 47319-done@debbugs.gnu.org (full text, mbox, reply):

Hi,

Léo Le Bouter <lle-bout@zaclys.net> writes:

> CVE-2021-28957	21.03.21 06:15
> lxml 4.6.2 places the HTML action attribute into defs.link_attrs (in
> html/defs.py) for later use in input sanitization, but does not do the
> same for the HTML5 formaction attribute.
>
> Upstream fixed it in 4.6.3 (
> https://github.com/lxml/lxml/commit/2d01a1ba8984e0483ce6619b972832377f208a0d
> ), so we should probably upgrade to that.

This is the current version in Guix.

Closing; thanks!

Maxim

bug archived. Request was from Debbugs Internal Request <help-debbugs@gnu.org> to internal_control@debbugs.gnu.org. (Wed, 20 Apr 2022 11:24:06 GMT) (full text, mbox, link).

Display info messages

Send a report that this bug log contains spam.

debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Sat Dec 21 14:59:56 2024; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.