Git-Url: http://git.frugalware.org/gitweb/gitweb.cgi?p=frugalware-1.9.git;a=commitdiff;h=ef00170393123f11f02416c81a25f59f026d409b
commit ef00170393123f11f02416c81a25f59f026d409b Author: kikadf <[email protected]> Date: Sat May 24 14:58:56 2014 +0200 lxml-2.3.5-1arcturus1-x86_64 * Fix CVE-2014-3146 diff --git a/source/devel-extra/lxml/CVE-2014-3146.patch b/source/devel-extra/lxml/CVE-2014-3146.patch new file mode 100644 index 0000000..37dda32 --- /dev/null +++ b/source/devel-extra/lxml/CVE-2014-3146.patch @@ -0,0 +1,81 @@ +--- lxml-2.3.2.orig/src/lxml/html/clean.py ++++ lxml-2.3.2/src/lxml/html/clean.py +@@ -79,9 +79,10 @@ + + # All kinds of schemes besides just javascript: that can cause + # execution: +-_javascript_scheme_re = re.compile( +- r'\s*(?:javascript|jscript|livescript|vbscript|data|about|mocha):', re.I) +-_substitute_whitespace = re.compile(r'\s+').sub ++_is_javascript_scheme = re.compile( ++ r'(?:javascript|jscript|livescript|vbscript|data|about|mocha):', ++ re.I).search ++_substitute_whitespace = re.compile(r'[\s\x00-\x08\x0B\x0C\x0E-\x19]+').sub + # FIXME: should data: be blocked? + + # FIXME: check against: http://msdn2.microsoft.com/en-us/library/ms537512.aspx +@@ -459,7 +460,7 @@ + def _remove_javascript_link(self, link): + # links like "j a v a s c r i p t:" might be interpreted in IE + new = _substitute_whitespace('', link) +- if _javascript_scheme_re.search(new): ++ if _is_javascript_scheme(new): + # FIXME: should this be None to delete? + return '' + return link +--- lxml-2.3.2.orig/src/lxml/html/tests/test_clean.txt ++++ lxml-2.3.2/src/lxml/html/tests/test_clean.txt +@@ -1,3 +1,4 @@ ++>>> import re + >>> from lxml.html import fromstring, tostring + >>> from lxml.html.clean import clean, clean_html, Cleaner + >>> from lxml.html import usedoctest +@@ -15,6 +16,7 @@ + ... <body onload="evil_function()"> + ... <!-- I am interpreted for EVIL! --> + ... <a href="javascript:evil_function()">a link</a> ++... <a href="j\x01a\x02v\x03a\x04s\x05c\x06r\x07i\x0Ep t:evil_function()">a control char link</a> + ... <a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgidGVzdCIpOzwvc2NyaXB0Pg==">data</a> + ... <a href="#" onclick="evil_function()">another link</a> + ... <p onclick="evil_function()">a paragraph</p> +@@ -29,7 +31,7 @@ + ... </body> + ... </html>''' + +->>> print(doc) ++>>> print(re.sub('[\x00-\x07\x0E]', '', doc)) + <html> + <head> + <script type="text/javascript" src="evil-site"></script> +@@ -43,6 +45,7 @@ + <body onload="evil_function()"> + <!-- I am interpreted for EVIL! --> + <a href="javascript:evil_function()">a link</a> ++ <a href="javascrip t:evil_function()">a control char link</a> + <a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgidGVzdCIpOzwvc2NyaXB0Pg==">data</a> + <a href="#" onclick="evil_function()">another link</a> + <p onclick="evil_function()">a paragraph</p> +@@ -71,6 +74,7 @@ + <body onload="evil_function()"> + <!-- I am interpreted for EVIL! --> + <a href="javascript:evil_function()">a link</a> ++ <a href="javascrip%20t:evil_function()">a control char link</a> + <a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgidGVzdCIpOzwvc2NyaXB0Pg==">data</a> + <a href="#" onclick="evil_function()">another link</a> + <p onclick="evil_function()">a paragraph</p> +@@ -92,6 +96,7 @@ + </head> + <body> + <a href="">a link</a> ++ <a href="">a control char link</a> + <a href="">data</a> + <a href="#">another link</a> + <p>a paragraph</p> +@@ -110,6 +115,7 @@ + </head> + <body> + <a href="">a link</a> ++ <a href="">a control char link</a> + <a href="">data</a> + <a href="#">another link</a> + <p>a paragraph</p> \ No newline at end of file diff --git a/source/devel-extra/lxml/FrugalBuild b/source/devel-extra/lxml/FrugalBuild index 41d8214..812d390 100644 --- a/source/devel-extra/lxml/FrugalBuild +++ b/source/devel-extra/lxml/FrugalBuild @@ -1,23 +1,36 @@ # Compiling Time: 0.42 SBU # Maintainer: Miklos Vajna <[email protected]> +options+=('asneeded') + pkgname=lxml -pkgver=2.3 -pkgrel=1 +pkgver=2.3.5 +pkgrel=1arcturus1 pkgdesc="Easy-to-use library for working with XML and HTML in Python." -url="http://codespeak.net/lxml/"; +url="http://lxml.de/"; depends=('libxml2>=2.7.8' 'python' 'libxslt') +makedepends=('cython') +_F_github_tag="yes" +_F_github_ver="$pkgname-$pkgver" +Finclude github +up2date="$up2date | cut -d '_' -f 2" groups=('devel-extra') archs=('i686' 'x86_64') -up2date="lynx -dump $url |grep latest|sed 's/.*lxml \(.*\), .*/\1/;q'" -source=(http://cheeseshop.python.org/packages/source/l/lxml/lxml-$pkgver.tar.gz) -sha1sums=('2384caa37b94b312d97d3e4b773aeccca94f9c76') +sha1sums=('f42a117b09935bf37105adc1106337271cf49eef') + + +# FSA fix *** +source=(${source[@]} CVE-2014-3146.patch) +sha1sums=(${sha1sums[@]} '02519f306d389a8728e203a782dc4a210ec9972e') +# *********** + build() { - Fcd - rm Makefile - Fbuild + Funpack_github + Fpatchall + python setup.py install --root=$Fdestdir --optimize=1 || Fdie } + # optimization OK _______________________________________________ Frugalware-git mailing list [email protected] http://frugalware.org/mailman/listinfo/frugalware-git
