GNU bug report logs

#47319 python-lxml is vulnerable to CVE-2021-28957

PackageSource(s)Maintainer(s)
guix PTS Buildd Popcon
Full log

Message #5 received at submit@debbugs.gnu.org (full text, mbox, reply):

Received: (at submit) by debbugs.gnu.org; 22 Mar 2021 14:09:37 +0000
From debbugs-submit-bounces@debbugs.gnu.org Mon Mar 22 10:09:37 2021
Received: from localhost ([127.0.0.1]:58189 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1lOLFR-0007c2-0A
	for submit@debbugs.gnu.org; Mon, 22 Mar 2021 10:09:37 -0400
Received: from lists.gnu.org ([209.51.188.17]:49078)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <lle-bout@zaclys.net>) id 1lOLFP-0007bs-Jt
 for submit@debbugs.gnu.org; Mon, 22 Mar 2021 10:09:35 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:37308)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <lle-bout@zaclys.net>)
 id 1lOLFP-0004YL-5y
 for bug-guix@gnu.org; Mon, 22 Mar 2021 10:09:35 -0400
Received: from mail.zaclys.net ([178.33.93.72]:59263)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <lle-bout@zaclys.net>)
 id 1lOLFM-0000bx-Ks
 for bug-guix@gnu.org; Mon, 22 Mar 2021 10:09:34 -0400
Received: from guix-xps.local (lsl43-1_migr-78-195-19-20.fbx.proxad.net
 [78.195.19.20] (may be forged)) (authenticated bits=0)
 by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 12ME9Tx1000907
 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO)
 for <bug-guix@gnu.org>; Mon, 22 Mar 2021 15:09:29 +0100
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 12ME9Tx1000907
Authentication-Results: mail.zaclys.net;
 dmarc=fail (p=reject dis=none) header.from=zaclys.net
Authentication-Results: mail.zaclys.net;
 spf=fail smtp.mailfrom=lle-bout@zaclys.net
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net;
 s=default; t=1616422169;
 bh=AxcgpvwdUGHr0e+pTbxi0e3eUadUzH9pIjQMWrAKd5Y=;
 h=Subject:From:To:Date:From;
 b=knDUM4q3YYXGFmh9HT0+aSj3EC/5xxMEB1Q3OcDkc7i+EGF3Zz6ULIvXAenUj+NsH
 bNGg3PTrMQWaxokGxW+oQ5uDZt87hB6GLQo0W6K7VcjcymjbY2NAHa/Z0mR03Kz7Q+
 U3JSCQoLw7XXA/itsUJpPg/C7iOCLbmtzOhKMXJ0=
Message-ID: <8e3d68f9e674d1556bf2ba6baff0e72c069a2673.camel@zaclys.net>
Subject: python-lxml is vulnerable to CVE-2021-28957
From: Léo Le Bouter <lle-bout@zaclys.net>
To: bug-guix@gnu.org
Date: Mon, 22 Mar 2021 15:09:24 +0100
Content-Type: multipart/signed; micalg="pgp-sha512";
 protocol="application/pgp-signature"; boundary="=-9giu6ciUzW3V66aTEfoj"
User-Agent: Evolution 3.34.2 
MIME-Version: 1.0
Received-SPF: pass client-ip=178.33.93.72; envelope-from=lle-bout@zaclys.net;
 helo=mail.zaclys.net
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: 1.4 (+)
X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview: CVE-2021-28957 21.03.21 06:15 lxml 4.6.2 places the HTML
 action
 attribute into defs.link_attrs (in html/defs.py) for later use in input
 sanitization, 
 but does not do the same for the HTML5 formaction [...] 
 Content analysis details:   (1.4 points, 10.0 required)
 pts rule name              description
 ---- ---------------------- --------------------------------------------------
 -2.3 RCVD_IN_DNSWL_MED      RBL: Sender listed at https://www.dnswl.org/,
 medium trust [209.51.188.17 listed in list.dnswl.org]
 -0.0 SPF_HELO_PASS          SPF: HELO matches SPF record
 1.0 SPF_SOFTFAIL           SPF: sender does not match SPF record (softfail)
 2.7 MAY_BE_FORGED          Relay IP's reverse DNS does not resolve to IP
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -2.3 (--)

[Message part 1 (text/plain, inline)]
CVE-2021-28957	21.03.21 06:15
lxml 4.6.2 places the HTML action attribute into defs.link_attrs (in
html/defs.py) for later use in input sanitization, but does not do the
same for the HTML5 formaction attribute.

Upstream fixed it in 4.6.3 (
https://github.com/lxml/lxml/commit/2d01a1ba8984e0483ce6619b972832377f208a0d
), so we should probably upgrade to that.

Has lots of dependents so I suppose it needs grafting? Is that useful
and does it work for Python packages?

Léo

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.

debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Sun Dec 22 02:23:07 2024; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.