Review Debian update: lxml
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	jbond
	Mar 30 2021, 12:58 PM

Description

DebDiff Report lxml: 4.3.2-1+deb10u2 -> 4.3.2-1+deb10u3

diff -Nru lxml-4.3.2/debian/changelog lxml-4.3.2/debian/changelog
--- lxml-4.3.2/debian/changelog 2020-12-18 10:05:56.000000000 +0100
+++ lxml-4.3.2/debian/changelog 2021-03-23 19:03:02.000000000 +0100
@@ -1,3 +1,12 @@
+lxml (4.3.2-1+deb10u3) buster-security; urgency=medium
+
+  * Non-maintainer upload by the LTS Team.
+  * CVE-2021-28957 (Closes: #985643)
+    Due to missing input sanitization, XSS is possible for the HTML5
+    formatcion attribute.
+
+ -- Thorsten Alteholz <debian@alteholz.de>  Tue, 23 Mar 2021 19:03:02 +0100
+
 lxml (4.3.2-1+deb10u2) buster-security; urgency=medium
 
   * Enable the test suite (non-fatal).
diff -Nru lxml-4.3.2/debian/patches/CVE-2021-28957.patch lxml-4.3.2/debian/patches/CVE-2021-28957.patch
--- lxml-4.3.2/debian/patches/CVE-2021-28957.patch    1970-01-01 01:00:00.000000000 +0100
+++ lxml-4.3.2/debian/patches/CVE-2021-28957.patch    2021-03-23 19:03:02.000000000 +0100
@@ -0,0 +1,39 @@
+Index: lxml-4.3.2/src/lxml/html/defs.py
+===================================================================
--- lxml-4.3.2.orig/src/lxml/html/defs.py       2021-03-24 10:39:23.690583668 +0100
+++ lxml-4.3.2/src/lxml/html/defs.py    2021-03-24 10:39:23.682583509 +0100
@@ -21,6 +21,8 @@
     'usemap',
     # Not standard:
     'dynsrc', 'lowsrc',
+    # HTML5 formaction
+    'formaction'
     ])
 
 # Not in the HTML 4 spec:
Index: lxml-4.3.2/src/lxml/html/tests/test_clean.py
===================================================================
--- lxml-4.3.2.orig/src/lxml/html/tests/test_clean.py 2021-03-24 10:39:23.690583668 +0100
+++ lxml-4.3.2/src/lxml/html/tests/test_clean.py      2021-03-24 10:39:23.682583509 +0100
@@ -88,6 +88,21 @@
             b'<math><style>/* deleted */</style></math>',
             lxml.html.tostring(clean_html(s)))
 
+    def test_formaction_attribute_in_button_input(self):
+        # The formaction attribute overrides the form's action and should be
+        # treated as a malicious link attribute
+        html = ('<form id="test"><input type="submit" formaction="javascript:alert(1)"></form>'
+        '<button form="test" formaction="javascript:alert(1)">X</button>')
+        expected = ('<div><form id="test"><input type="submit" formaction=""></form>'
+        '<button form="test" formaction="">X</button></div>')
+        cleaner = Cleaner(
+            forms=False,
+            safe_attrs_only=False,
+        )
+        self.assertEqual(
+            expected,
+            cleaner.clean_html(html))
+
 
 def test_suite():
     suite = unittest.TestSuite()
diff -Nru lxml-4.3.2/debian/patches/series lxml-4.3.2/debian/patches/series
--- lxml-4.3.2/debian/patches/series    2020-12-18 10:04:38.000000000 +0100
+++ lxml-4.3.2/debian/patches/series    2021-03-23 19:03:02.000000000 +0100
@@ -1,3 +1,5 @@
 CVE-2020-27783.patch
 math-svg.patch
 fix-lack-of-re-ASCII-in-python2.patch
+
+CVE-2021-28957.patch

Bug Report

No bug reports, YAY :D

CVE Report

CVE-2021-28957: [local] lxml 4.6.2 allows XSS. It places the HTML action attribute into defs.link_attrs (in html/defs.py) for later use in input sanitization, but does not do the same for the HTML5 formaction attribute.

Event Timeline

jbond triaged this task as Medium priority.Mar 30 2021, 12:58 PM

jbond created this task.

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 30 2021, 12:58 PM

update matches upstream patch

Mentioned in SAL (#wikimedia-operations) [2021-03-30T13:02:28Z] <jbond42> rollout lxml update T278822

This update has now been rolled out

Review Debian update: lxmlClosed, ResolvedPublicActions