diff --git a/SOURCES/CVE-2020-27783.patch b/SOURCES/CVE-2020-27783.patch
new file mode 100644
index 0000000..5d7baaf
--- /dev/null
+++ b/SOURCES/CVE-2020-27783.patch
@@ -0,0 +1,121 @@
+diff --git a/src/lxml/html/clean.py b/src/lxml/html/clean.py
+index adc3f45..6f3f7de 100644
+--- a/src/lxml/html/clean.py
++++ b/src/lxml/html/clean.py
+@@ -61,12 +61,15 @@ __all__ = ['clean_html', 'clean', 'Cleaner', 'autolink', 'autolink_html',
+
+ # This is an IE-specific construct you can have in a stylesheet to
+ # run some Javascript:
+-_css_javascript_re = re.compile(
+- r'expression\s*\(.*?\)', re.S|re.I)
++_replace_css_javascript = re.compile(
++ r'expression\s*\(.*?\)', re.S|re.I).sub
+
+ # Do I have to worry about @\nimport?
+-_css_import_re = re.compile(
+- r'@\s*import', re.I)
++_replace_css_import = re.compile(
++ r'@\s*import', re.I).sub
++
++_looks_like_tag_content = re.compile(
++ r'</?[a-zA-Z]+|\son[a-zA-Z]+\s*=', re.ASCII).search
+
+ # All kinds of schemes besides just javascript: that can cause
+ # execution:
+@@ -292,8 +295,8 @@ class Cleaner(object):
+ if not self.inline_style:
+ for el in _find_styled_elements(doc):
+ old = el.get('style')
+- new = _css_javascript_re.sub('', old)
+- new = _css_import_re.sub('', new)
++ new = _replace_css_javascript('', old)
++ new = _replace_css_import('', new)
+ if self._has_sneaky_javascript(new):
+ # Something tricky is going on...
+ del el.attrib['style']
+@@ -305,9 +308,9 @@ class Cleaner(object):
+ el.drop_tree()
+ continue
+ old = el.text or ''
+- new = _css_javascript_re.sub('', old)
++ new = _replace_css_javascript('', old)
+ # The imported CSS can do anything; we just can't allow:
+- new = _css_import_re.sub('', old)
++ new = _replace_css_import('', new)
+ if self._has_sneaky_javascript(new):
+ # Something tricky is going on...
+ el.text = '/* deleted */'
+@@ -509,6 +512,12 @@ class Cleaner(object):
+ return True
+ if 'expression(' in style:
+ return True
++ if '</noscript' in style:
++ # e.g. '<noscript><style><a title="</noscript><img src=x onerror=alert(1)>">'
++ return True
++ if _looks_like_tag_content(style):
++ # e.g. '<math><style><img src=x onerror=alert(1)></style></math>'
++ return True
+ return False
+
+ def clean_html(self, html):
+diff --git a/src/lxml/html/tests/test_clean.py b/src/lxml/html/tests/test_clean.py
+index 3bcaaf5..451eec2 100644
+--- a/src/lxml/html/tests/test_clean.py
++++ b/src/lxml/html/tests/test_clean.py
+@@ -69,6 +69,26 @@ class CleanerTest(unittest.TestCase):
+ s = lxml.html.fromstring('<invalid tag>child</another>')
+ self.assertEqual('child', clean_html(s).text_content())
+
++ def test_sneaky_noscript_in_style(self):
++ # This gets parsed as <noscript> -> <style>"...</noscript>..."</style>
++ # thus passing the </noscript> through into the output.
++ html = '<noscript><style><a title="</noscript><img src=x onerror=alert(1)>">'
++ s = lxml.html.fragment_fromstring(html)
++
++ self.assertEqual(
++ b'<noscript><style>/* deleted */</style></noscript>',
++ lxml.html.tostring(clean_html(s)))
++
++ def test_sneaky_js_in_math_style(self):
++ # This gets parsed as <math> -> <style>"..."</style>
++ # thus passing any tag/script/whatever content through into the output.
++ html = '<math><style><img src=x onerror=alert(1)></style></math>'
++ s = lxml.html.fragment_fromstring(html)
++
++ self.assertEqual(
++ b'<math><style>/* deleted */</style></math>',
++ lxml.html.tostring(clean_html(s)))
++
+
+ def test_suite():
+ suite = unittest.TestSuite()
+diff --git a/src/lxml/html/tests/test_clean.txt b/src/lxml/html/tests/test_clean.txt
+index c78ab4f..c901871 100644
+--- a/src/lxml/html/tests/test_clean.txt
++++ b/src/lxml/html/tests/test_clean.txt
+@@ -104,7 +104,11 @@
+ >>> print(Cleaner(page_structure=False, safe_attrs_only=False).clean_html(doc))
+ <html>
+ <head>
+- <style>/* deleted */</style>
++ <style>
++ body {background-image: url()};
++ div {background-image: url()};
++ div {color: };
++ </style>
+ </head>
+ <body>
+ <a href="">a link</a>
+@@ -168,7 +172,11 @@
+ <link rel="alternate" type="text/rss" src="evil-rss">
+ <link rel="alternate" type="text/rss" href="http://example.com">
+ <link rel="stylesheet" type="text/rss" href="http://example.com">
+- <style>/* deleted */</style>
++ <style>
++ body {background-image: url()};
++ div {background-image: url()};
++ div {color: };
++ </style>
+ </head>
+ <body>
+ <a href="">a link</a>
diff --git a/SPECS/python-lxml.spec b/SPECS/python-lxml.spec
index 97519a2..6754ad8 100644
--- a/SPECS/python-lxml.spec
+++ b/SPECS/python-lxml.spec
@@ -9,13 +9,20 @@
Name: python-%{modname}
Version: 4.2.3
-Release: 1%{?dist}
+Release: 2%{?dist}
Summary: XML processing library combining libxml2/libxslt with the ElementTree API
License: BSD
URL: http://lxml.de
Source0: http://lxml.de/files/%{modname}-%{version}.tgz
+# Fix for CVE-2020-27783: mXSS due to the use of improper parser
+# Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1901633
+# Two upstream commits combined:
+# Version 4.6.1: https://github.com/lxml/lxml/commit/89e7aad6e7ff9ecd88678ff25f885988b184b26e
+# Version 4.6.2: https://github.com/lxml/lxml/commit/a105ab8dc262ec6735977c25c13f0bdfcdec72a7
+Patch0: CVE-2020-27783.patch
+
BuildRequires: gcc
BuildRequires: libxml2-devel
BuildRequires: libxslt-devel
@@ -60,7 +67,7 @@ Recommends: python3-beautifulsoup4
Python 3 version.
%prep
-%autosetup -n %{modname}-%{version}
+%autosetup -n %{modname}-%{version} -p1
%build
export WITH_CYTHON=true
@@ -96,6 +103,10 @@ export WITH_CYTHON=true
%{python3_sitearch}/%{modname}-*.egg-info/
%changelog
+* Tue Dec 08 2020 Charalampos Stratakis <cstratak@redhat.com> - 4.2.3-2
+- Security fix for CVE-2020-27783: mXSS due to the use of improper parser
+Resolves: rhbz#1901633
+
* Thu Aug 02 2018 Sebastian Kisela <skisela@redhat.com> - 4.2.3-1
- New upstream release 4.2.3