[Python-modules-team] Bug#951907: Suggested Stable Fix
Salvatore Bonaccorso
carnil at debian.org
Thu Feb 27 12:18:53 GMT 2020
Hi Scott,
On Thu, Feb 27, 2020 at 06:24:09AM -0500, Scott Kitterman wrote:
> On Thursday, February 27, 2020 2:44:48 AM EST Salvatore Bonaccorso wrote:
> > Hi Scott,
> >
> > On Sat, Feb 22, 2020 at 07:20:34PM -0500, Scott Kitterman wrote:
> > > Debdiff for proposed stable security update attached.
> > >
> > > The first hunk of the patch has the actual fix. I would prefer to use the
> > > new ustream release rather than just patch the one line because of the
> > > test improvements, of the explanation of the issue in the upstream
> > > changeslog, and using the new upstream makes it clearer to external
> > > reviewers we've done the fix. There are no unrelated changes.
> >
> > Okay let's fix this via a DSA.
> > I checked the reverse dependencies and none seem to be particularly
> > impacted, but given the primary use of the module is to sanitize input
> > and is generic enough we should update.
> >
> > Can you set urgency=high for consistency, and add the now assigned CVE
> > refeence (I did contact Mozilla CNA for it, and they assigned one, it
> > is CVE-2020-6802).
> >
> > Many thanks for your work and apologies for the long delay.
>
> Thanks. No worries about the delay. I imagine this isn't the most severe
> issue you are dealing with this week.
>
> I've dput the package to security-master, modified as above.
Great many thanks, it got ACCEPTED and quickly tested it as well.
Looks good.
I think though we mgiht need to revisit the assessment that older
versions are not affected. Look at the this quick and dirty test
deduced from the testsuite:
----cut---------cut---------cut---------cut---------cut---------cut-----
from bleach import clean
raw_tags = [
"title",
"textarea",
"script",
"style",
"noembed",
"noframes",
"iframe",
"xmp",
]
for raw_tag in raw_tags:
print("Testing tag '%s' ... " % raw_tag, end='')
data = "<noscript><%s></noscript><img src=x onerror=alert(1) />" % raw_tag
expected = "<noscript><%s></noscript><img src=x onerror=alert(1) />" % raw_tag
result = clean(data, tags=["noscript", raw_tag])
if result == expected:
print("OK")
else:
print("FAIL")
print("expected: %s" % expected)
print("result: %s" % result)
----cut---------cut---------cut---------cut---------cut---------cut-----
It will result in:
Testing tag 'title' ... FAIL
expected: <noscript><title></noscript><img src=x onerror=alert(1) />
result: <noscript><title></noscript><img src=x onerror=alert(1) /></title></noscript>
Testing tag 'textarea' ... FAIL
expected: <noscript><textarea></noscript><img src=x onerror=alert(1) />
result: <noscript><textarea></noscript><img src=x onerror=alert(1) /></textarea></noscript>
Testing tag 'script' ... FAIL
expected: <noscript><script></noscript><img src=x onerror=alert(1) />
result: <noscript><script></noscript><img src=x onerror=alert(1) /></script></noscript>
Testing tag 'style' ... FAIL
expected: <noscript><style></noscript><img src=x onerror=alert(1) />
result: <noscript><style></noscript><img src=x onerror=alert(1) /></style></noscript>
Testing tag 'noembed' ... FAIL
expected: <noscript><noembed></noscript><img src=x onerror=alert(1) />
result: <noscript><noembed></noscript><img src=x onerror=alert(1) /></noembed></noscript>
Testing tag 'noframes' ... FAIL
expected: <noscript><noframes></noscript><img src=x onerror=alert(1) />
result: <noscript><noframes></noscript><img src=x onerror=alert(1) /></noframes></noscript>
Testing tag 'iframe' ... FAIL
expected: <noscript><iframe></noscript><img src=x onerror=alert(1) />
result: <noscript><iframe></noscript><img src=x onerror=alert(1) /></iframe></noscript>
Testing tag 'xmp' ... FAIL
expected: <noscript><xmp></noscript><img src=x onerror=alert(1) />
result: <noscript><xmp></noscript><img src=x onerror=alert(1) /></xmp></noscript>
(and same in jessie).
Regards,
Salvatore
More information about the Python-modules-team
mailing list