From 567b754a72ab5ccdfbec6ab0b574e717ae7266b4 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Nov 09 2021 09:48:33 +0000 Subject: import python-lxml-4.4.1-6.module+el8.5.0+10542+ba057329 --- diff --git a/SOURCES/CVE-2021-28957.patch b/SOURCES/CVE-2021-28957.patch new file mode 100644 index 0000000..0368606 --- /dev/null +++ b/SOURCES/CVE-2021-28957.patch @@ -0,0 +1,39 @@ +diff --git a/src/lxml/html/defs.py b/src/lxml/html/defs.py +index caf6b21..ea3c016 100644 +--- a/src/lxml/html/defs.py ++++ b/src/lxml/html/defs.py +@@ -21,6 +21,8 @@ link_attrs = frozenset([ + 'usemap', + # Not standard: + 'dynsrc', 'lowsrc', ++ # HTML5 formaction ++ 'formaction' + ]) + + # Not in the HTML 4 spec: +diff --git a/src/lxml/html/tests/test_clean.py b/src/lxml/html/tests/test_clean.py +index 451eec2..e40cdad 100644 +--- a/src/lxml/html/tests/test_clean.py ++++ b/src/lxml/html/tests/test_clean.py +@@ -89,6 +89,21 @@ class CleanerTest(unittest.TestCase): + b'', + lxml.html.tostring(clean_html(s))) + ++ def test_formaction_attribute_in_button_input(self): ++ # The formaction attribute overrides the form's action and should be ++ # treated as a malicious link attribute ++ html = ('
' ++ '') ++ expected = ('
' ++ '
') ++ cleaner = Cleaner( ++ forms=False, ++ safe_attrs_only=False, ++ ) ++ self.assertEqual( ++ expected, ++ cleaner.clean_html(html)) ++ + + def test_suite(): + suite = unittest.TestSuite() diff --git a/SPECS/python-lxml.spec b/SPECS/python-lxml.spec index 3462ba7..b380b7a 100644 --- a/SPECS/python-lxml.spec +++ b/SPECS/python-lxml.spec @@ -4,7 +4,7 @@ Name: python-%{modname} Version: 4.4.1 -Release: 5%{?dist} +Release: 6%{?dist} Summary: XML processing library combining libxml2/libxslt with the ElementTree API License: BSD @@ -18,6 +18,11 @@ Source0: https://lxml.de/files/%{modname}-%{version}.tgz # Version 4.6.2: https://github.com/lxml/lxml/commit/a105ab8dc262ec6735977c25c13f0bdfcdec72a7 Patch0: CVE-2020-27783.patch +# Fix for CVE-2021-28957: missing input sanitization +# for formaction HTML5 attributes which may lead to XSS +# Fixed upstream: https://github.com/lxml/lxml/commit/2d01a1ba8984e0483ce6619b972832377f208a0d +Patch1: CVE-2021-28957.patch + # Exclude i686 arch. Due to a modularity issue it's being added to the # x86_64 compose of CRB, but we don't want to ship it at all. # See: https://projects.engineering.redhat.com/browse/RCM-72605 @@ -104,6 +109,10 @@ env WITH_CYTHON=true %py3_build %{python3_sitearch}/%{modname}-*.egg-info/ %changelog +* Wed Mar 24 2021 Charalampos Stratakis - 4.4.1-6 +- Security fix for CVE-2021-28957 +Resolves: rhbz#1941534 + * Thu Dec 03 2020 Lumír Balhar - 4.4.1-5 - Security fix for CVE-2020-27783: mXSS due to the use of improper parser Resolves: rhbz#1901633