GNU bug report logs - #47319
python-lxml is vulnerable to CVE-2021-28957

Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.

Package: guix; Reported by: Léo Le Bouter <lle-bout@HIDDEN>; Keywords: security; dated Mon, 22 Mar 2021 14:10:02 UTC; Maintainer for guix is bug-guix@HIDDEN.
Added tag(s) security. Request was from Léo Le Bouter <lle-bout@HIDDEN> to control <at> debbugs.gnu.org. Full text available.

Message received at submit <at> debbugs.gnu.org:


Received: (at submit) by debbugs.gnu.org; 22 Mar 2021 14:09:37 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Mar 22 10:09:37 2021
Received: from localhost ([127.0.0.1]:58189 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1lOLFR-0007c2-0A
	for submit <at> debbugs.gnu.org; Mon, 22 Mar 2021 10:09:37 -0400
Received: from lists.gnu.org ([209.51.188.17]:49078)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <lle-bout@HIDDEN>) id 1lOLFP-0007bs-Jt
 for submit <at> debbugs.gnu.org; Mon, 22 Mar 2021 10:09:35 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:37308)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <lle-bout@HIDDEN>)
 id 1lOLFP-0004YL-5y
 for bug-guix@HIDDEN; Mon, 22 Mar 2021 10:09:35 -0400
Received: from mail.zaclys.net ([178.33.93.72]:59263)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <lle-bout@HIDDEN>)
 id 1lOLFM-0000bx-Ks
 for bug-guix@HIDDEN; Mon, 22 Mar 2021 10:09:34 -0400
Received: from guix-xps.local (lsl43-1_migr-78-195-19-20.fbx.proxad.net
 [78.195.19.20] (may be forged)) (authenticated bits=0)
 by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 12ME9Tx1000907
 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO)
 for <bug-guix@HIDDEN>; Mon, 22 Mar 2021 15:09:29 +0100
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 12ME9Tx1000907
Authentication-Results: mail.zaclys.net;
 dmarc=fail (p=reject dis=none) header.from=zaclys.net
Authentication-Results: mail.zaclys.net;
 spf=fail smtp.mailfrom=lle-bout@HIDDEN
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net;
 s=default; t=1616422169;
 bh=AxcgpvwdUGHr0e+pTbxi0e3eUadUzH9pIjQMWrAKd5Y=;
 h=Subject:From:To:Date:From;
 b=knDUM4q3YYXGFmh9HT0+aSj3EC/5xxMEB1Q3OcDkc7i+EGF3Zz6ULIvXAenUj+NsH
 bNGg3PTrMQWaxokGxW+oQ5uDZt87hB6GLQo0W6K7VcjcymjbY2NAHa/Z0mR03Kz7Q+
 U3JSCQoLw7XXA/itsUJpPg/C7iOCLbmtzOhKMXJ0=
Message-ID: <8e3d68f9e674d1556bf2ba6baff0e72c069a2673.camel@HIDDEN>
Subject: python-lxml is vulnerable to CVE-2021-28957
From: =?ISO-8859-1?Q?L=E9o?= Le Bouter <lle-bout@HIDDEN>
To: bug-guix@HIDDEN
Date: Mon, 22 Mar 2021 15:09:24 +0100
Content-Type: multipart/signed; micalg="pgp-sha512";
 protocol="application/pgp-signature"; boundary="=-9giu6ciUzW3V66aTEfoj"
User-Agent: Evolution 3.34.2 
MIME-Version: 1.0
Received-SPF: pass client-ip=178.33.93.72; envelope-from=lle-bout@HIDDEN;
 helo=mail.zaclys.net
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: 1.4 (+)
X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview: CVE-2021-28957 21.03.21 06:15 lxml 4.6.2 places the HTML
 action
 attribute into defs.link_attrs (in html/defs.py) for later use in input
 sanitization, 
 but does not do the same for the HTML5 formaction [...] 
 Content analysis details:   (1.4 points, 10.0 required)
 pts rule name              description
 ---- ---------------------- --------------------------------------------------
 -2.3 RCVD_IN_DNSWL_MED      RBL: Sender listed at https://www.dnswl.org/,
 medium trust [209.51.188.17 listed in list.dnswl.org]
 -0.0 SPF_HELO_PASS          SPF: HELO matches SPF record
 1.0 SPF_SOFTFAIL           SPF: sender does not match SPF record (softfail)
 2.7 MAY_BE_FORGED          Relay IP's reverse DNS does not resolve to IP
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -2.3 (--)


--=-9giu6ciUzW3V66aTEfoj
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

CVE-2021-28957	21.03.21 06:15
lxml 4.6.2 places the HTML action attribute into defs.link_attrs (in
html/defs.py) for later use in input sanitization, but does not do the
same for the HTML5 formaction attribute.

Upstream fixed it in 4.6.3 (
https://github.com/lxml/lxml/commit/2d01a1ba8984e0483ce6619b972832377f208a0=
d
), so we should probably upgrade to that.

Has lots of dependents so I suppose it needs grafting? Is that useful
and does it work for Python packages?

L=C3=A9o

--=-9giu6ciUzW3V66aTEfoj
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBYpRQACgkQRaix6GvN
EKYDHw//Z5VOjkXvjZPSFtd5PE9T5GUroXUHlYapPfD5kkQuT+HlxW7egi6VpWVp
TTC1z0iQi+sEoJoLcZsYVUcPTjH1kRfbip2QL+32CAf1uEcZ+1jQKMqvIgnvETjO
e+8ZwvFrs08TC/RzGrRdZ+MbVL1IBTH0S6bH7CNqEj9CWkYHDXcaoFi/4SxeHgBq
/FB5tA/dFb3xxOa1yWIeW58zsMFI/h7PDArpDFQln+EKtf590beW25gosmLduuuO
RO1LioWyYM/5DlDwSLtfCRQr7va4AMQe+ChLpP4F1aTRgDLNxZaZBlp/XWPZTjVP
naxMy7A2iNP/XQpcc8tgteGl9QD7zMPC38iiYLh+rz/MKHaeyVxaembkPpsaJ873
HA3RPRP7flEvq4AZwqyT1Ch6yb0yU7ew85Oq/HdXzQmj5fMmZTHM5lh6B+MTIo5I
Hme1/NTaBMTGPsLFPyezNxwKm38Pwap5Se77PkX5CWO1xaMS7Tn8SzoKyPTvJU68
0bwaMbbnyi8ESnLrcfdOuIfLIdmzwyv9gmz9oXgj+n1NttRURBAjcWsbxbJGtDE7
BXrC2DGphwW4jhot6JAF7RnJE4FueWqwQgoVIESoRZNTQ2Jqs9lNIhryBanGru6+
OhoD2U07ZfemWDy5Zz6wcABAcFbQaU+N6lQEPJ73p5aHzBWxwtU=
=zH1O
-----END PGP SIGNATURE-----

--=-9giu6ciUzW3V66aTEfoj--





Acknowledgement sent to Léo Le Bouter <lle-bout@HIDDEN>:
New bug report received and forwarded. Copy sent to bug-guix@HIDDEN. Full text available.
Report forwarded to bug-guix@HIDDEN:
bug#47319; Package guix. Full text available.
Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.
Last modified: Mon, 22 Mar 2021 14:15:01 UTC

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.