subject:"Bug#954236\: Proposed Buster Fix \(pyhon3\-bleach\: New secuirty issue\: mutation XSS \(again\)\)"

Bug#954236: Proposed Buster Fix (pyhon3-bleach: New secuirty issue: mutation XSS (again))

2020-03-20 Thread Salvatore Bonaccorso

Hi Scott,

On Fri, Mar 20, 2020 at 01:57:25PM -0400, Scott Kitterman wrote:
> On Thursday, March 19, 2020 6:24:22 PM EDT Salvatore Bonaccorso wrote:
> > Hi Scott,
> > 
> > On Thu, Mar 19, 2020 at 12:20:25AM -0400, Scott Kitterman wrote:
> > > Upstream's 3.1.2 release had just the security fix in it.  I propose
> > > updating buster with it (I put 3.1.3 in unstable, but it had non-security
> > > fixes in it.
> > > 
> > > I'm not 100% sure about if we need to modify the import path for the new
> > > test since we don't use the vendored html5lib, but other than that (which
> > > I will investigate), this should be good.
> > 
> > Given we did release a DSA for the similar issue CVE-2020-6802 for
> > buster we can do the same as well now for this issue (it got assigned
> > CVE-2020-6816).
> > 
> > Your plan to rebase to 3.1.2 looks good to me.
> > 
> > Once you have the update ready please just come back to us, if
> > possible add the CVE id reference as it was assigned now, but more
> > importantly please adjust the debian/changelog (the target
> > distribution needs to be buster-security).
> > 
> > many thanks for your work!
> 
> I've uploaded it to security-master (didn't get the accept yet, so you should 
> see it shortly.
> 
> I added the CVE reference and changed the target distribution.
> 
> In addition to test building, I ran the autopkgtests locally and it all 
> passed, so it should be good to go.

Thank you!

DSA 4643-1 with your update released!

Regards,
Salvatore

Bug#954236: Proposed Buster Fix (pyhon3-bleach: New secuirty issue: mutation XSS (again))

2020-03-20 Thread Scott Kitterman

On Thursday, March 19, 2020 6:24:22 PM EDT Salvatore Bonaccorso wrote:
> Hi Scott,
> 
> On Thu, Mar 19, 2020 at 12:20:25AM -0400, Scott Kitterman wrote:
> > Upstream's 3.1.2 release had just the security fix in it.  I propose
> > updating buster with it (I put 3.1.3 in unstable, but it had non-security
> > fixes in it.
> > 
> > I'm not 100% sure about if we need to modify the import path for the new
> > test since we don't use the vendored html5lib, but other than that (which
> > I will investigate), this should be good.
> 
> Given we did release a DSA for the similar issue CVE-2020-6802 for
> buster we can do the same as well now for this issue (it got assigned
> CVE-2020-6816).
> 
> Your plan to rebase to 3.1.2 looks good to me.
> 
> Once you have the update ready please just come back to us, if
> possible add the CVE id reference as it was assigned now, but more
> importantly please adjust the debian/changelog (the target
> distribution needs to be buster-security).
> 
> many thanks for your work!

I've uploaded it to security-master (didn't get the accept yet, so you should 
see it shortly.

I added the CVE reference and changed the target distribution.

In addition to test building, I ran the autopkgtests locally and it all 
passed, so it should be good to go.

Scott K

signature.asc
Description: This is a digitally signed message part.

Bug#954236: Proposed Buster Fix (pyhon3-bleach: New secuirty issue: mutation XSS (again))

2020-03-19 Thread Salvatore Bonaccorso

Hi Scott,

On Thu, Mar 19, 2020 at 12:20:25AM -0400, Scott Kitterman wrote:
> Upstream's 3.1.2 release had just the security fix in it.  I propose updating 
> buster with it (I put 3.1.3 in unstable, but it had non-security fixes in it.
> 
> I'm not 100% sure about if we need to modify the import path for the new test 
> since we don't use the vendored html5lib, but other than that (which I will 
> investigate), this should be good.

Given we did release a DSA for the similar issue CVE-2020-6802 for
buster we can do the same as well now for this issue (it got assigned
CVE-2020-6816).

Your plan to rebase to 3.1.2 looks good to me.

Once you have the update ready please just come back to us, if
possible add the CVE id reference as it was assigned now, but more
importantly please adjust the debian/changelog (the target
distribution needs to be buster-security).

many thanks for your work!

Regards,
Salvatore

Bug#954236: Proposed Buster Fix (pyhon3-bleach: New secuirty issue: mutation XSS (again))

2020-03-18 Thread Scott Kitterman

Upstream's 3.1.2 release had just the security fix in it.  I propose updating 
buster with it (I put 3.1.3 in unstable, but it had non-security fixes in it.

I'm not 100% sure about if we need to modify the import path for the new test 
since we don't use the vendored html5lib, but other than that (which I will 
investigate), this should be good.

Scott Kdiff -Nru python-bleach-3.1.1/bleach/html5lib_shim.py python-bleach-3.1.2/bleach/html5lib_shim.py
--- python-bleach-3.1.1/bleach/html5lib_shim.py	2020-02-19 12:34:12.0 -0500
+++ python-bleach-3.1.2/bleach/html5lib_shim.py	2020-03-17 10:26:44.0 -0400
@@ -533,7 +533,18 @@
 
 
 class BleachHTMLSerializer(HTMLSerializer):
-"""HTMLSerializer that undoes & ->  in attributes"""
+"""HTMLSerializer that undoes & ->  in attributes and sets
+escape_rcdata to True
+"""
+
+# per the HTMLSerializer.__init__ docstring:
+#
+# Whether to escape characters that need to be
+# escaped within normal elements within rcdata elements such as
+# style.
+#
+escape_rcdata = True
+
 def escape_base_amp(self, stoken):
 """Escapes just bare & in HTML attribute values"""
 # First, undo escaping of &. We need to do this because html5lib's
diff -Nru python-bleach-3.1.1/bleach/__init__.py python-bleach-3.1.2/bleach/__init__.py
--- python-bleach-3.1.1/bleach/__init__.py	2020-02-19 12:34:12.0 -0500
+++ python-bleach-3.1.2/bleach/__init__.py	2020-03-17 10:26:44.0 -0400
@@ -18,9 +18,9 @@
 
 
 # mmdd
-__releasedate__ = '20200213'
+__releasedate__ = '20200311'
 # x.y.z or x.y.z.dev0 -- semver
-__version__ = '3.1.1'
+__version__ = '3.1.2'
 VERSION = parse_version(__version__)
 
 
diff -Nru python-bleach-3.1.1/CHANGES python-bleach-3.1.2/CHANGES
--- python-bleach-3.1.1/CHANGES	2020-02-19 12:34:12.0 -0500
+++ python-bleach-3.1.2/CHANGES	2020-03-17 10:26:44.0 -0400
@@ -1,6 +1,40 @@
 Bleach changes
 ==
 
+Version 3.1.2 (March 11th, 2020)
+
+
+**Security fixes**
+
+* ``bleach.clean`` behavior parsing embedded MathML and SVG content
+  with RCDATA tags did not match browser behavior and could result in
+  a mutation XSS.
+
+  Calls to ``bleach.clean`` with ``strip=False`` and ``math`` or
+  ``svg`` tags and one or more of the RCDATA tags ``script``,
+  ``noscript``, ``style``, ``noframes``, ``iframe``, ``noembed``, or
+  ``xmp`` in the allowed tags whitelist were vulnerable to a mutation
+  XSS.
+
+  This security issue was confirmed in Bleach version v3.1.1. Earlier
+  versions are likely affected too.
+
+  Anyone using Bleach <=v3.1.1 is encouraged to upgrade.
+
+  https://bugzilla.mozilla.org/show_bug.cgi?id=1621692
+
+**Backwards incompatible changes**
+
+None
+
+**Features**
+
+None
+
+**Bug fixes**
+
+None
+
 Version 3.1.1 (February 13th, 2020)
 ---
 
diff -Nru python-bleach-3.1.1/debian/changelog python-bleach-3.1.2/debian/changelog
--- python-bleach-3.1.1/debian/changelog	2020-02-27 05:53:52.0 -0500
+++ python-bleach-3.1.2/debian/changelog	2020-03-19 00:14:11.0 -0400
@@ -1,3 +1,9 @@
+python-bleach (3.1.2-0+deb10u1) buster; urgency=medium
+
+  * New upstream security release (Closes: #954236)
+
+ -- Scott Kitterman   Thu, 19 Mar 2020 00:14:11 -0400
+
 python-bleach (3.1.1-0+deb10u1) buster-security; urgency=high
 
   * New upstream security release (Closes: #951907)
diff -Nru python-bleach-3.1.1/requirements-dev.txt python-bleach-3.1.2/requirements-dev.txt
--- python-bleach-3.1.1/requirements-dev.txt	2020-02-19 12:34:12.0 -0500
+++ python-bleach-3.1.2/requirements-dev.txt	2020-03-17 10:26:44.0 -0400
@@ -11,3 +11,6 @@
 
 # Requirements for updating package
 twine
+
+# Requirements for running setup.py bdist_wheel
+wheel
diff -Nru python-bleach-3.1.1/tests/test_clean.py python-bleach-3.1.2/tests/test_clean.py
--- python-bleach-3.1.1/tests/test_clean.py	2020-02-19 12:34:12.0 -0500
+++ python-bleach-3.1.2/tests/test_clean.py	2020-03-17 10:26:44.0 -0400
@@ -5,7 +5,7 @@
 from bleach import clean
 from bleach.html5lib_shim import Filter
 from bleach.sanitizer import Cleaner
-
+from bleach._vendor.html5lib.constants import rcdataElements
 
 def test_clean_idempotent():
 """Make sure that applying the filter twice doesn't change anything."""
@@ -787,7 +787,7 @@
 (
 raw_tag,
 "<%s>" % raw_tag,
-"<%s>img src=x onerror=alert(1) /" % raw_tag,
+"%simg src=x onerror=alert(1) /" % raw_tag,
 )
 for raw_tag in _raw_tags
 ],
@@ -797,6 +797,29 @@
 assert clean(data, tags=["noscript", raw_tag]) == expected
 
 
+@pytest.mark.parametrize(
+"namespace_tag, rc_data_element_tag, data, expected",
+[
+(
+namespace_tag,
+rc_data_element_tag,
+"<%s><%s>" % (namespace_tag, rc_data_element_tag),
+"<%s><%s>img src=x onerror=alert(1)" %

Bug#954236: Proposed Buster Fix (pyhon3-bleach: New secuirty issue: mutation XSS (again))

Bug#954236: Proposed Buster Fix (pyhon3-bleach: New secuirty issue: mutation XSS (again))

Bug#954236: Proposed Buster Fix (pyhon3-bleach: New secuirty issue: mutation XSS (again))

Bug#954236: Proposed Buster Fix (pyhon3-bleach: New secuirty issue: mutation XSS (again))

4 matches

Site Navigation

Mail list logo

Footer information