Hi Scott, On Thu, Feb 27, 2020 at 06:24:09AM -0500, Scott Kitterman wrote: > On Thursday, February 27, 2020 2:44:48 AM EST Salvatore Bonaccorso wrote: > > Hi Scott, > > > > On Sat, Feb 22, 2020 at 07:20:34PM -0500, Scott Kitterman wrote: > > > Debdiff for proposed stable security update attached. > > > > > > The first hunk of the patch has the actual fix. I would prefer to use the > > > new ustream release rather than just patch the one line because of the > > > test improvements, of the explanation of the issue in the upstream > > > changeslog, and using the new upstream makes it clearer to external > > > reviewers we've done the fix. There are no unrelated changes. > > > > Okay let's fix this via a DSA. > > I checked the reverse dependencies and none seem to be particularly > > impacted, but given the primary use of the module is to sanitize input > > and is generic enough we should update. > > > > Can you set urgency=high for consistency, and add the now assigned CVE > > refeence (I did contact Mozilla CNA for it, and they assigned one, it > > is CVE-2020-6802). > > > > Many thanks for your work and apologies for the long delay. > > Thanks. No worries about the delay. I imagine this isn't the most severe > issue you are dealing with this week. > > I've dput the package to security-master, modified as above.
Great many thanks, it got ACCEPTED and quickly tested it as well. Looks good. I think though we mgiht need to revisit the assessment that older versions are not affected. Look at the this quick and dirty test deduced from the testsuite: ----cut---------cut---------cut---------cut---------cut---------cut----- from bleach import clean raw_tags = [ "title", "textarea", "script", "style", "noembed", "noframes", "iframe", "xmp", ] for raw_tag in raw_tags: print("Testing tag '%s' ... " % raw_tag, end='') data = "<noscript><%s></noscript><img src=x onerror=alert(1) />" % raw_tag expected = "<noscript><%s></noscript><img src=x onerror=alert(1) />" % raw_tag result = clean(data, tags=["noscript", raw_tag]) if result == expected: print("OK") else: print("FAIL") print("expected: %s" % expected) print("result: %s" % result) ----cut---------cut---------cut---------cut---------cut---------cut----- It will result in: Testing tag 'title' ... FAIL expected: <noscript><title></noscript><img src=x onerror=alert(1) /> result: <noscript><title></noscript><img src=x onerror=alert(1) /></title></noscript> Testing tag 'textarea' ... FAIL expected: <noscript><textarea></noscript><img src=x onerror=alert(1) /> result: <noscript><textarea></noscript><img src=x onerror=alert(1) /></textarea></noscript> Testing tag 'script' ... FAIL expected: <noscript><script></noscript><img src=x onerror=alert(1) /> result: <noscript><script></noscript><img src=x onerror=alert(1) /></script></noscript> Testing tag 'style' ... FAIL expected: <noscript><style></noscript><img src=x onerror=alert(1) /> result: <noscript><style></noscript><img src=x onerror=alert(1) /></style></noscript> Testing tag 'noembed' ... FAIL expected: <noscript><noembed></noscript><img src=x onerror=alert(1) /> result: <noscript><noembed></noscript><img src=x onerror=alert(1) /></noembed></noscript> Testing tag 'noframes' ... FAIL expected: <noscript><noframes></noscript><img src=x onerror=alert(1) /> result: <noscript><noframes></noscript><img src=x onerror=alert(1) /></noframes></noscript> Testing tag 'iframe' ... FAIL expected: <noscript><iframe></noscript><img src=x onerror=alert(1) /> result: <noscript><iframe></noscript><img src=x onerror=alert(1) /></iframe></noscript> Testing tag 'xmp' ... FAIL expected: <noscript><xmp></noscript><img src=x onerror=alert(1) /> result: <noscript><xmp></noscript><img src=x onerror=alert(1) /></xmp></noscript> (and same in jessie). Regards, Salvatore