GNU bug report logs -
#47319
python-lxml is vulnerable to CVE-2021-28957
Previous Next
Reported by: Léo Le Bouter <lle-bout <at> zaclys.net>
Date: Mon, 22 Mar 2021 14:10:02 UTC
Severity: normal
Tags: security
Done: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 47319 in the body.
You can then email your comments to 47319 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-guix <at> gnu.org:
bug#47319; Package
guix.
(Mon, 22 Mar 2021 14:10:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Léo Le Bouter <lle-bout <at> zaclys.net>:
New bug report received and forwarded. Copy sent to
bug-guix <at> gnu.org.
(Mon, 22 Mar 2021 14:10:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
CVE-2021-28957 21.03.21 06:15
lxml 4.6.2 places the HTML action attribute into defs.link_attrs (in
html/defs.py) for later use in input sanitization, but does not do the
same for the HTML5 formaction attribute.
Upstream fixed it in 4.6.3 (
https://github.com/lxml/lxml/commit/2d01a1ba8984e0483ce6619b972832377f208a0d
), so we should probably upgrade to that.
Has lots of dependents so I suppose it needs grafting? Is that useful
and does it work for Python packages?
Léo
[signature.asc (application/pgp-signature, inline)]
Added tag(s) security.
Request was from
Léo Le Bouter <lle-bout <at> zaclys.net>
to
control <at> debbugs.gnu.org.
(Mon, 22 Mar 2021 14:11:01 GMT)
Full text and
rfc822 format available.
Information forwarded
to
bug-guix <at> gnu.org:
bug#47319; Package
guix.
(Tue, 23 Mar 2021 15:31:01 GMT)
Full text and
rfc822 format available.
Message #10 received at 47319 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
I pushed a9d540cfa87ef3a5de3296188f650fb0d037efbd on core-updates, how
to fix it on master considering the amount of dependents remains to be
agreed on.
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
bug-guix <at> gnu.org:
bug#47319; Package
guix.
(Tue, 23 Mar 2021 17:56:02 GMT)
Full text and
rfc822 format available.
Message #13 received at submit <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Mon, Mar 22, 2021 at 03:09:24PM +0100, Léo Le Bouter via Bug reports for GNU Guix wrote:
> CVE-2021-28957 21.03.21 06:15
> lxml 4.6.2 places the HTML action attribute into defs.link_attrs (in
> html/defs.py) for later use in input sanitization, but does not do the
> same for the HTML5 formaction attribute.
Thanks for the notification.
I checked on some other distros that, like us, try to avoid major
updates of packages with a lot of dependents:
https://security-tracker.debian.org/tracker/CVE-2021-28957
https://access.redhat.com/security/cve/cve-2021-28957
So, both Debian and Red Hat are still shipping the vulnerable packages.
At least, we are in good company. We would monitor the Debian page and
copy their patch, if they decide to fix the bug.
> Upstream fixed it in 4.6.3 (
> https://github.com/lxml/lxml/commit/2d01a1ba8984e0483ce6619b972832377f208a0d
> ), so we should probably upgrade to that.
>
> Has lots of dependents so I suppose it needs grafting? Is that useful
> and does it work for Python packages?
Grafting Python packages is not something we've done in the past, as far
as I can tell from reading the Git log, although I don't recall know if
it works or not.
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
bug-guix <at> gnu.org:
bug#47319; Package
guix.
(Tue, 23 Mar 2021 17:56:02 GMT)
Full text and
rfc822 format available.
Information forwarded
to
bug-guix <at> gnu.org:
bug#47319; Package
guix.
(Mon, 05 Apr 2021 23:57:01 GMT)
Full text and
rfc822 format available.
Message #19 received at 47319 <at> debbugs.gnu.org (full text, mbox):
Leo Famulari <leo <at> famulari.name> writes:
> On Mon, Mar 22, 2021 at 03:09:24PM +0100, Léo Le Bouter via Bug reports for GNU Guix wrote:
>> Has lots of dependents so I suppose it needs grafting? Is that useful
>> and does it work for Python packages?
>
> Grafting Python packages is not something we've done in the past, as far
> as I can tell from reading the Git log, although I don't recall know if
> it works or not.
I see no reason why grafting a python package wouldn't work, although
admittedly my knowledge of Python is weak.
Mark
Reply sent
to
Maxim Cournoyer <maxim.cournoyer <at> gmail.com>:
You have taken responsibility.
(Wed, 23 Mar 2022 02:34:02 GMT)
Full text and
rfc822 format available.
Notification sent
to
Léo Le Bouter <lle-bout <at> zaclys.net>:
bug acknowledged by developer.
(Wed, 23 Mar 2022 02:34:02 GMT)
Full text and
rfc822 format available.
Message #24 received at 47319-done <at> debbugs.gnu.org (full text, mbox):
Hi,
Léo Le Bouter <lle-bout <at> zaclys.net> writes:
> CVE-2021-28957 21.03.21 06:15
> lxml 4.6.2 places the HTML action attribute into defs.link_attrs (in
> html/defs.py) for later use in input sanitization, but does not do the
> same for the HTML5 formaction attribute.
>
> Upstream fixed it in 4.6.3 (
> https://github.com/lxml/lxml/commit/2d01a1ba8984e0483ce6619b972832377f208a0d
> ), so we should probably upgrade to that.
This is the current version in Guix.
Closing; thanks!
Maxim
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Wed, 20 Apr 2022 11:24:06 GMT)
Full text and
rfc822 format available.
This bug report was last modified 1 year and 362 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.