DebDiff Report lxml: 4.3.2-1+deb10u2 -> 4.3.2-1+deb10u3
diff -Nru lxml-4.3.2/debian/changelog lxml-4.3.2/debian/changelog --- lxml-4.3.2/debian/changelog 2020-12-18 10:05:56.000000000 +0100 +++ lxml-4.3.2/debian/changelog 2021-03-23 19:03:02.000000000 +0100 @@ -1,3 +1,12 @@ +lxml (4.3.2-1+deb10u3) buster-security; urgency=medium + + * Non-maintainer upload by the LTS Team. + * CVE-2021-28957 (Closes: #985643) + Due to missing input sanitization, XSS is possible for the HTML5 + formatcion attribute. + + -- Thorsten Alteholz <debian@alteholz.de> Tue, 23 Mar 2021 19:03:02 +0100 + lxml (4.3.2-1+deb10u2) buster-security; urgency=medium * Enable the test suite (non-fatal). diff -Nru lxml-4.3.2/debian/patches/CVE-2021-28957.patch lxml-4.3.2/debian/patches/CVE-2021-28957.patch --- lxml-4.3.2/debian/patches/CVE-2021-28957.patch 1970-01-01 01:00:00.000000000 +0100 +++ lxml-4.3.2/debian/patches/CVE-2021-28957.patch 2021-03-23 19:03:02.000000000 +0100 @@ -0,0 +1,39 @@ +Index: lxml-4.3.2/src/lxml/html/defs.py +=================================================================== --- lxml-4.3.2.orig/src/lxml/html/defs.py 2021-03-24 10:39:23.690583668 +0100 +++ lxml-4.3.2/src/lxml/html/defs.py 2021-03-24 10:39:23.682583509 +0100 @@ -21,6 +21,8 @@ 'usemap', # Not standard: 'dynsrc', 'lowsrc', + # HTML5 formaction + 'formaction' ]) # Not in the HTML 4 spec: Index: lxml-4.3.2/src/lxml/html/tests/test_clean.py =================================================================== --- lxml-4.3.2.orig/src/lxml/html/tests/test_clean.py 2021-03-24 10:39:23.690583668 +0100 +++ lxml-4.3.2/src/lxml/html/tests/test_clean.py 2021-03-24 10:39:23.682583509 +0100 @@ -88,6 +88,21 @@ b'<math><style>/* deleted */</style></math>', lxml.html.tostring(clean_html(s))) + def test_formaction_attribute_in_button_input(self): + # The formaction attribute overrides the form's action and should be + # treated as a malicious link attribute + html = ('<form id="test"><input type="submit" formaction="javascript:alert(1)"></form>' + '<button form="test" formaction="javascript:alert(1)">X</button>') + expected = ('<div><form id="test"><input type="submit" formaction=""></form>' + '<button form="test" formaction="">X</button></div>') + cleaner = Cleaner( + forms=False, + safe_attrs_only=False, + ) + self.assertEqual( + expected, + cleaner.clean_html(html)) + def test_suite(): suite = unittest.TestSuite() diff -Nru lxml-4.3.2/debian/patches/series lxml-4.3.2/debian/patches/series --- lxml-4.3.2/debian/patches/series 2020-12-18 10:04:38.000000000 +0100 +++ lxml-4.3.2/debian/patches/series 2021-03-23 19:03:02.000000000 +0100 @@ -1,3 +1,5 @@ CVE-2020-27783.patch math-svg.patch fix-lack-of-re-ASCII-in-python2.patch + +CVE-2021-28957.patch
Bug Report
No bug reports, YAY :D
CVE Report
- CVE-2021-28957: [local] lxml 4.6.2 allows XSS. It places the HTML action attribute into defs.link_attrs (in html/defs.py) for later use in input sanitization, but does not do the same for the HTML5 formaction attribute.