Bug#962059: marked as done (buster-pu: package python-markdown2/2.3.7-2)

Debian Bug Tracking System Sat, 01 Aug 2020 05:07:21 -0700

Your message dated Sat, 01 Aug 2020 12:51:28 +0100
with message-id 
<43535efb498a168cf81452ca0c326f004f46adc6.ca...@adam-barratt.org.uk>
and subject line Closing bugs for fixes included in 10.5 point release
has caused the Debian Bug report #962059,
regarding buster-pu: package python-markdown2/2.3.7-2
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
962059: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=962059
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: release.debian.org
Severity: normal
Tags: buster
User: [email protected]
Usertags: pu

Dear Release Managers,

I'd like to have python-markdown2 updated in Buster, due to a CVE:
CVE-2020-11888.

I attached a debdiff with the bug report, and the update is the
simple adding of debian/patches/0001.

I've also added a gbp.conf to have gbp stop complaining when I don't
give it the proper branch to build, this addition doesn't change the
binary packages.

Note that I've uploaded python-markdown2 2.3.9-1 to unstable 15 minutes
ago. It ships the CVE fix, and should be visible in the archive soon.

Thanks a lot for your work! :)

-- System Information:
Debian Release: 10.4
  APT prefers stable
  APT policy: (990, 'stable'), (500, 'stable-updates'), (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-8-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT_USER
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) (ignored: LC_ALL 
set to fr_FR.UTF-8), LANGUAGE=fr_FR.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set 
to fr_FR.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

diff -Nru python-markdown2-2.3.7/debian/changelog 
python-markdown2-2.3.7/debian/changelog
--- python-markdown2-2.3.7/debian/changelog     2019-02-02 18:27:36.000000000 
+0100
+++ python-markdown2-2.3.7/debian/changelog     2020-06-02 20:23:22.000000000 
+0200
@@ -1,3 +1,10 @@
+python-markdown2 (2.3.7-2+deb10u1) buster; urgency=medium
+
+  * Add d/p/0001 To fix CVE-2020-11888, thanks to Gareth Simpson
+  * Add a d/gbp.conf file to ease-up gbp's mind
+
+ -- Pierre-Elliott Bécue <[email protected]>  Tue, 02 Jun 2020 20:23:22 +0200
+
 python-markdown2 (2.3.7-2) unstable; urgency=medium
 
   * Team upload
diff -Nru python-markdown2-2.3.7/debian/gbp.conf 
python-markdown2-2.3.7/debian/gbp.conf
--- python-markdown2-2.3.7/debian/gbp.conf      1970-01-01 01:00:00.000000000 
+0100
+++ python-markdown2-2.3.7/debian/gbp.conf      2020-06-02 20:23:18.000000000 
+0200
@@ -0,0 +1,3 @@
+[DEFAULT]
+pristine-tar = True
+debian-branch = debian/buster
diff -Nru 
python-markdown2-2.3.7/debian/patches/0001-Incomplete-tags-with-punctuation-after-as-part-of-th.patch
 
python-markdown2-2.3.7/debian/patches/0001-Incomplete-tags-with-punctuation-after-as-part-of-th.patch
--- 
python-markdown2-2.3.7/debian/patches/0001-Incomplete-tags-with-punctuation-after-as-part-of-th.patch
       1970-01-01 01:00:00.000000000 +0100
+++ 
python-markdown2-2.3.7/debian/patches/0001-Incomplete-tags-with-punctuation-after-as-part-of-th.patch
       2020-06-02 20:22:52.000000000 +0200
@@ -0,0 +1,73 @@
+From: Gareth Simpson <[email protected]>
+Date: Tue, 2 Jun 2020 20:14:30 +0200
+Subject: Incomplete tags with punctuation after as part of the tag name are a
+ source of XSS
+Bug: https://github.com/trentm/python-markdown2/issues/348
+
+Fixes CVE-2020-11888.
+
+python-markdown2 through 2.3.8 allows XSS because element names are
+mishandled unless a \w+ match succeeds. For example, an attack might use
+elementname@ or elementname- with an onclick attribute.
+---
+ lib/markdown2.py                           | 9 ++++++---
+ test/tm-cases/issue348_incomplete_tag.html | 1 +
+ test/tm-cases/issue348_incomplete_tag.opts | 1 +
+ test/tm-cases/issue348_incomplete_tag.text | 1 +
+ 4 files changed, 9 insertions(+), 3 deletions(-)
+ create mode 100644 test/tm-cases/issue348_incomplete_tag.html
+ create mode 100644 test/tm-cases/issue348_incomplete_tag.opts
+ create mode 100644 test/tm-cases/issue348_incomplete_tag.text
+
+diff --git a/lib/markdown2.py b/lib/markdown2.py
+index 16672f5..bd9fe0c 100755
+--- a/lib/markdown2.py
++++ b/lib/markdown2.py
+@@ -1772,7 +1772,7 @@ class Markdown(object):
+                 lexer_name = lexer_name[3:].strip()
+                 codeblock = rest.lstrip("\n")   # Remove lexer declaration 
line.
+                 formatter_opts = self.extras['code-color'] or {}
+-        
++
+         # Use pygments only if not using the highlightjs-lang extra
+         if lexer_name and "highlightjs-lang" not in self.extras:
+             def unhash_code(codeblock):
+@@ -2134,12 +2134,15 @@ class Markdown(object):
+         text = self._naked_gt_re.sub('&gt;', text)
+         return text
+ 
+-    _incomplete_tags_re = re.compile("<(/?\w+[\s/]+?)")
++    _incomplete_tags_re = re.compile("<(/?\w+?(?!\w).+?[\s/]+?)")
+ 
+     def _encode_incomplete_tags(self, text):
+         if self.safe_mode not in ("replace", "escape"):
+             return text
+-            
++
++        if text.endswith(">"):
++            return text  # this is not an incomplete tag, this is a link in 
the form <http://x.y.z>
++
+         return self._incomplete_tags_re.sub("&lt;\\1", text)
+ 
+     def _encode_backslash_escapes(self, text):
+diff --git a/test/tm-cases/issue348_incomplete_tag.html 
b/test/tm-cases/issue348_incomplete_tag.html
+new file mode 100644
+index 0000000..46059cc
+--- /dev/null
++++ b/test/tm-cases/issue348_incomplete_tag.html
+@@ -0,0 +1 @@
++<p>&lt;lol@/ //id="pwn"//onclick="alert(1)"//<strong>abc</strong></p>
+diff --git a/test/tm-cases/issue348_incomplete_tag.opts 
b/test/tm-cases/issue348_incomplete_tag.opts
+new file mode 100644
+index 0000000..ad487c0
+--- /dev/null
++++ b/test/tm-cases/issue348_incomplete_tag.opts
+@@ -0,0 +1 @@
++{"safe_mode": "escape"}
+diff --git a/test/tm-cases/issue348_incomplete_tag.text 
b/test/tm-cases/issue348_incomplete_tag.text
+new file mode 100644
+index 0000000..bb4a0de
+--- /dev/null
++++ b/test/tm-cases/issue348_incomplete_tag.text
+@@ -0,0 +1 @@
++<lol@/ //id="pwn"//onclick="alert(1)"//**abc**
diff -Nru python-markdown2-2.3.7/debian/patches/series 
python-markdown2-2.3.7/debian/patches/series
--- python-markdown2-2.3.7/debian/patches/series        1970-01-01 
01:00:00.000000000 +0100
+++ python-markdown2-2.3.7/debian/patches/series        2020-06-02 
20:22:52.000000000 +0200
@@ -0,0 +1 @@
+0001-Incomplete-tags-with-punctuation-after-as-part-of-th.patch

--- End Message ---

--- Begin Message ---

Package: release.debian.org
Version: 10.5

Hi,

Each of these bugs relates to an update that was included in today's
stable point release.

Regards,

Adam

--- End Message ---

Bug#962059: marked as done (buster-pu: package python-markdown2/2.3.7-2)

Reply via email to