[Python-modules-team] Bug#951907: Suggested Stable Fix
Salvatore Bonaccorso
carnil at debian.org
Fri Feb 28 20:46:04 GMT 2020
Hi Scott,
On Fri, Feb 28, 2020 at 03:30:01PM -0500, Scott Kitterman wrote:
> On Thursday, February 27, 2020 8:11:32 AM EST Salvatore Bonaccorso wrote:
> > Hi Scott,
> >
> > On Thu, Feb 27, 2020 at 01:41:44PM +0100, Salvatore Bonaccorso wrote:
> > > Hi,
> > >
> > > On Thu, Feb 27, 2020 at 01:18:55PM +0100, Salvatore Bonaccorso wrote:
> > > > I think though we mgiht need to revisit the assessment that older
> > > > versions are not affected. Look at the this quick and dirty test
> > >
> > > > deduced from the testsuite:
> > > So I think versions before are as well vulnerable but a fix will
> > > become not so easy. First back in b07814e0753c ("Extract all html5lib
> > > things into a shim module") in v3.0.0 did split some code from
> > > bleach.sanitizer to bleach.html5lib_shim, and before in 67afdf8ae7d3
> > > ("Prevent HTMLTokenizer from unescaping entities") in v2.1 was quite
> > > refactored.
> > >
> > > Now I'm not entirely sure how we should fix that for stretch.
> >
> > Additional point, in earlier version the package depended on html5lib,
> > then the code was vedored out to bleach itself, and then further
> > modified as above. So while it is true one can argue the affected code
> > is not in bleach, the bleach.clean still does not properly sanitize
> > leading to the issue.
> >
> > It is possibly to hard to actually fix the issue for stretch (and for
> > LTS interest as well in jessie)?
>
> I don't think so. I think the lowest risk approach, other than leaving it as
> is, would be to backport 3.1.1 and use the vendored html5lib. I gave that a
> quick try and it doesn't work out of the box. If that is something the
> security team would consider, please let me know and I'll spend some time
> investigating if I can make that work on stretch.
I feared that. Let's not take this risk and ignore the issue for
stretch then, altough it's not optimal. The advisory talks as well of
possible workarounds which might be possible for affected
users/applications for users in stretch.
So will go ahead for the DSA for buster only.
Many thanks for taking time to analyze the situation and reporting
back, much appreciated!
Regards,
Salvatore
More information about the Python-modules-team
mailing list