From 9c03034e10da339ce07d018354a7a874f8230f73 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Jan 27 2022 07:26:15 +0000 Subject: import python-lxml-4.6.5-1.module+el8.6.0+13933+9cf0c87c --- diff --git a/.gitignore b/.gitignore index 20f261f..70e2bc6 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/lxml-4.6.2.tar.gz +SOURCES/lxml-4.6.5.tar.gz diff --git a/.python-lxml.metadata b/.python-lxml.metadata index 5eb4d34..fcf7f24 100644 --- a/.python-lxml.metadata +++ b/.python-lxml.metadata @@ -1 +1 @@ -ab5b8053945d1404b4e54cfd62afc38c8b62aa0c SOURCES/lxml-4.6.2.tar.gz +04a3ed4d33a511b5796880461b0edb6f3b144547 SOURCES/lxml-4.6.5.tar.gz diff --git a/SOURCES/CVE-2021-28957.patch b/SOURCES/CVE-2021-28957.patch deleted file mode 100644 index 0368606..0000000 --- a/SOURCES/CVE-2021-28957.patch +++ /dev/null @@ -1,39 +0,0 @@ -diff --git a/src/lxml/html/defs.py b/src/lxml/html/defs.py -index caf6b21..ea3c016 100644 ---- a/src/lxml/html/defs.py -+++ b/src/lxml/html/defs.py -@@ -21,6 +21,8 @@ link_attrs = frozenset([ - 'usemap', - # Not standard: - 'dynsrc', 'lowsrc', -+ # HTML5 formaction -+ 'formaction' - ]) - - # Not in the HTML 4 spec: -diff --git a/src/lxml/html/tests/test_clean.py b/src/lxml/html/tests/test_clean.py -index 451eec2..e40cdad 100644 ---- a/src/lxml/html/tests/test_clean.py -+++ b/src/lxml/html/tests/test_clean.py -@@ -89,6 +89,21 @@ class CleanerTest(unittest.TestCase): - b'', - lxml.html.tostring(clean_html(s))) - -+ def test_formaction_attribute_in_button_input(self): -+ # The formaction attribute overrides the form's action and should be -+ # treated as a malicious link attribute -+ html = ('
' -+ '') -+ expected = ('
' -+ '
') -+ cleaner = Cleaner( -+ forms=False, -+ safe_attrs_only=False, -+ ) -+ self.assertEqual( -+ expected, -+ cleaner.clean_html(html)) -+ - - def test_suite(): - suite = unittest.TestSuite() diff --git a/SPECS/python-lxml.spec b/SPECS/python-lxml.spec index 0111e56..655b928 100644 --- a/SPECS/python-lxml.spec +++ b/SPECS/python-lxml.spec @@ -1,19 +1,14 @@ %global modname lxml Name: python-%{modname} -Version: 4.6.2 -Release: 3%{?dist} +Version: 4.6.5 +Release: 1%{?dist} Summary: XML processing library combining libxml2/libxslt with the ElementTree API License: BSD URL: https://github.com/lxml/lxml Source0: %{pypi_source %{modname}} -# Fix for CVE-2021-28957: missing input sanitization -# for formaction HTML5 attributes which may lead to XSS -# Fixed upstream: https://github.com/lxml/lxml/commit/2d01a1ba8984e0483ce6619b972832377f208a0d -Patch1: CVE-2021-28957.patch - # Exclude i686 arch. Due to a modularity issue it's being added to the # x86_64 compose of CRB, but we don't want to ship it at all. # See: https://projects.engineering.redhat.com/browse/RCM-72605 @@ -53,25 +48,31 @@ Python 3 version. find -type f -name '*.c' -print -delete %build -env WITH_CYTHON=true %py3_build +export WITH_CYTHON=true +%py3_build %install %py3_install %check -# The test invocation below actually runs 0 tests. -# Fedora BZ for this problem: https://bugzilla.redhat.com/show_bug.cgi?id=1918626 -# We have been unable to make the tests run properly in the spec file, but the -# test suite is being run as part of the QE tests and gating. -%{__python3} setup.py test +# The tests assume inplace build, so we copy the built library to source-dir. +# If not done that, Python can either import the tests or the extension modules, but not both. +cp -a build/lib.%{python3_platform}-%{python3_version}/* src/ +# The options are: verbose, unit, functional +%{python3} test.py -vuf %files -n python%{python3_pkgversion}-%{modname} -%license doc/licenses/ZopePublicLicense.txt LICENSES.txt +%license LICENSES.txt %doc README.rst src/lxml/isoschematron/resources/xsl/iso-schematron-xslt1/readme.txt %{python3_sitearch}/%{modname}/ %{python3_sitearch}/%{modname}-*.egg-info/ %changelog +* Thu Jan 06 2022 Charalampos Stratakis - 4.6.5-1 +- Update to 4.6.5 +- Security fix for CVE-2021-43818 +Resolves: rhbz#2032569 + * Wed Mar 24 2021 Charalampos Stratakis - 4.6.2-3 - Security fix for CVE-2021-28957 Resolves: rhbz#1941534