[Python-modules-team] Bug#951907: Suggested Stable Fix

Scott Kitterman debian at kitterman.com
Fri Feb 28 20:30:01 GMT 2020


On Thursday, February 27, 2020 8:11:32 AM EST Salvatore Bonaccorso wrote:
> Hi Scott,
> 
> On Thu, Feb 27, 2020 at 01:41:44PM +0100, Salvatore Bonaccorso wrote:
> > Hi,
> > 
> > On Thu, Feb 27, 2020 at 01:18:55PM +0100, Salvatore Bonaccorso wrote:
> > > I think though we mgiht need to revisit the assessment that older
> > > versions are not affected. Look at the this quick and dirty test
> > 
> > > deduced from the testsuite:
> > So I think versions before are as well vulnerable but a fix will
> > become not so easy. First back in b07814e0753c ("Extract all html5lib
> > things into a shim module") in v3.0.0 did split some code from
> > bleach.sanitizer to bleach.html5lib_shim, and before in 67afdf8ae7d3
> > ("Prevent HTMLTokenizer from unescaping entities") in v2.1 was quite
> > refactored.
> > 
> > Now I'm not entirely sure how we should fix that for stretch.
> 
> Additional point, in earlier version the package depended on html5lib,
> then the code was vedored out to bleach itself, and then further
> modified as above. So while it is true one can argue the affected code
> is not in bleach, the bleach.clean still does not properly sanitize
> leading to the issue.
> 
> It is possibly to hard to actually fix the issue for stretch (and for
> LTS interest as well in jessie)?

I don't think so.  I think the lowest risk approach, other than leaving it as 
is, would be to backport 3.1.1 and use the vendored html5lib.  I gave that a 
quick try and it doesn't work out of the box.  If that is something the 
security team would consider, please let me know and I'll spend some time 
investigating if I can make that work on stretch.

Scott K
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://alioth-lists.debian.net/pipermail/python-modules-team/attachments/20200228/d068ccf1/attachment.sig>


More information about the Python-modules-team mailing list