Hello community, here is the log from the commit of package python-bleach for openSUSE:Factory checked in at 2020-04-05 20:51:47 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python-bleach (Old) and /work/SRC/openSUSE:Factory/.python-bleach.new.3248 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-bleach" Sun Apr 5 20:51:47 2020 rev:10 rq:790549 version:3.1.4 Changes: -------- --- /work/SRC/openSUSE:Factory/python-bleach/python-bleach.changes 2020-03-27 00:28:20.960349560 +0100 +++ /work/SRC/openSUSE:Factory/.python-bleach.new.3248/python-bleach.changes 2020-04-05 20:51:52.177086435 +0200 @@ -1,0 +2,12 @@ +Wed Apr 1 11:18:24 UTC 2020 - Dirk Mueller <[email protected]> + +- update to 3.1.4 (bsc#1168280, CVE-2020-6817): + * ``bleach.clean`` behavior parsing style attributes could result in a + regular expression denial of service (ReDoS). + Calls to ``bleach.clean`` with an allowed tag with an allowed + ``style`` attribute were vulnerable to ReDoS. For example, + ``bleach.clean(..., attributes={'a': ['style']})``. + * Style attributes with dashes, or single or double quoted values are + cleaned instead of passed through. + +------------------------------------------------------------------- @@ -4 +16 @@ -- update to 3.1.3 (bsc#1167379): +- update to 3.1.3 (bsc#1167379, CVE-2020-6816): @@ -18,2 +29,0 @@ - This security issue was confirmed in Bleach version v3.1.1. Earlier - versions are likely affected too. Old: ---- bleach-3.1.3.tar.gz New: ---- bleach-3.1.4.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python-bleach.spec ++++++ --- /var/tmp/diff_new_pack.vuo4uk/_old 2020-04-05 20:51:52.837087066 +0200 +++ /var/tmp/diff_new_pack.vuo4uk/_new 2020-04-05 20:51:52.837087066 +0200 @@ -19,7 +19,7 @@ %{?!python_module:%define python_module() python-%{**} python3-%{**}} Name: python-bleach -Version: 3.1.3 +Version: 3.1.4 Release: 0 Summary: A whitelist-based HTML-sanitizing tool License: Apache-2.0 ++++++ bleach-3.1.3.tar.gz -> bleach-3.1.4.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bleach-3.1.3/CHANGES new/bleach-3.1.4/CHANGES --- old/bleach-3.1.3/CHANGES 2020-03-17 16:28:50.000000000 +0100 +++ new/bleach-3.1.4/CHANGES 2020-03-26 15:36:36.000000000 +0100 @@ -1,6 +1,39 @@ Bleach changes ============== +Version 3.1.4 (March 24th, 2020) +-------------------------------- + +**Security fixes** + +* ``bleach.clean`` behavior parsing style attributes could result in a + regular expression denial of service (ReDoS). + + Calls to ``bleach.clean`` with an allowed tag with an allowed + ``style`` attribute were vulnerable to ReDoS. For example, + ``bleach.clean(..., attributes={'a': ['style']})``. + + This issue was confirmed in Bleach versions v3.1.3, v3.1.2, v3.1.1, + v3.1.0, v3.0.0, v2.1.4, and v2.1.3. Earlier versions used a similar + regular expression and should be considered vulnerable too. + + Anyone using Bleach <=v3.1.3 is encouraged to upgrade. + + https://bugzilla.mozilla.org/show_bug.cgi?id=1623633 + +**Backwards incompatible changes** + +* Style attributes with dashes, or single or double quoted values are + cleaned instead of passed through. + +**Features** + +None + +**Bug fixes** + +None + Version 3.1.3 (March 17th, 2020) -------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bleach-3.1.3/PKG-INFO new/bleach-3.1.4/PKG-INFO --- old/bleach-3.1.3/PKG-INFO 2020-03-17 16:29:18.039319300 +0100 +++ new/bleach-3.1.4/PKG-INFO 2020-03-26 15:38:47.279794700 +0100 @@ -1,6 +1,6 @@ Metadata-Version: 1.2 Name: bleach -Version: 3.1.3 +Version: 3.1.4 Summary: An easy safelist-based HTML-sanitizing tool. Home-page: https://github.com/mozilla/bleach Maintainer: Will Kahn-Greene @@ -124,6 +124,39 @@ Bleach changes ============== + Version 3.1.4 (March 24th, 2020) + -------------------------------- + + **Security fixes** + + * ``bleach.clean`` behavior parsing style attributes could result in a + regular expression denial of service (ReDoS). + + Calls to ``bleach.clean`` with an allowed tag with an allowed + ``style`` attribute were vulnerable to ReDoS. For example, + ``bleach.clean(..., attributes={'a': ['style']})``. + + This issue was confirmed in Bleach versions v3.1.3, v3.1.2, v3.1.1, + v3.1.0, v3.0.0, v2.1.4, and v2.1.3. Earlier versions used a similar + regular expression and should be considered vulnerable too. + + Anyone using Bleach <=v3.1.3 is encouraged to upgrade. + + https://bugzilla.mozilla.org/show_bug.cgi?id=1623633 + + **Backwards incompatible changes** + + * Style attributes with dashes, or single or double quoted values are + cleaned instead of passed through. + + **Features** + + None + + **Bug fixes** + + None + Version 3.1.3 (March 17th, 2020) -------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bleach-3.1.3/bleach/__init__.py new/bleach-3.1.4/bleach/__init__.py --- old/bleach-3.1.3/bleach/__init__.py 2020-03-17 16:26:03.000000000 +0100 +++ new/bleach-3.1.4/bleach/__init__.py 2020-03-26 15:36:36.000000000 +0100 @@ -18,9 +18,9 @@ # yyyymmdd -__releasedate__ = '20200317' +__releasedate__ = '20200324' # x.y.z or x.y.z.dev0 -- semver -__version__ = '3.1.3' +__version__ = '3.1.4' VERSION = parse_version(__version__) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bleach-3.1.3/bleach/sanitizer.py new/bleach-3.1.4/bleach/sanitizer.py --- old/bleach-3.1.3/bleach/sanitizer.py 2020-03-17 16:26:03.000000000 +0100 +++ new/bleach-3.1.4/bleach/sanitizer.py 2020-03-26 15:36:36.000000000 +0100 @@ -593,8 +593,14 @@ # the whole thing. parts = style.split(';') gauntlet = re.compile( - r"""^([-/:,#%.'"\s!\w]|\w-\w|'[\s\w]+'\s*|"[\s\w]+"|\([\d,%\.\s]+\))*$""", - flags=re.U + r"""^( # consider a style attribute value as composed of: +[/:,#%!.\s\w] # a non-newline character +|\w-\w # 3 characters in the form \w-\w +|'[\s\w]+'\s* # a single quoted string of [\s\w]+ with trailing space +|"[\s\w]+" # a double quoted string of [\s\w]+ +|\([\d,%\.\s]+\) # a parenthesized string of one or more digits, commas, periods, percent signs, or whitespace e.g. from 'color: hsl(30,100%,50%)'' +)*$""", + flags=re.U | re.VERBOSE ) for part in parts: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bleach-3.1.3/bleach.egg-info/PKG-INFO new/bleach-3.1.4/bleach.egg-info/PKG-INFO --- old/bleach-3.1.3/bleach.egg-info/PKG-INFO 2020-03-17 16:29:17.000000000 +0100 +++ new/bleach-3.1.4/bleach.egg-info/PKG-INFO 2020-03-26 15:38:47.000000000 +0100 @@ -1,6 +1,6 @@ Metadata-Version: 1.2 Name: bleach -Version: 3.1.3 +Version: 3.1.4 Summary: An easy safelist-based HTML-sanitizing tool. Home-page: https://github.com/mozilla/bleach Maintainer: Will Kahn-Greene @@ -124,6 +124,39 @@ Bleach changes ============== + Version 3.1.4 (March 24th, 2020) + -------------------------------- + + **Security fixes** + + * ``bleach.clean`` behavior parsing style attributes could result in a + regular expression denial of service (ReDoS). + + Calls to ``bleach.clean`` with an allowed tag with an allowed + ``style`` attribute were vulnerable to ReDoS. For example, + ``bleach.clean(..., attributes={'a': ['style']})``. + + This issue was confirmed in Bleach versions v3.1.3, v3.1.2, v3.1.1, + v3.1.0, v3.0.0, v2.1.4, and v2.1.3. Earlier versions used a similar + regular expression and should be considered vulnerable too. + + Anyone using Bleach <=v3.1.3 is encouraged to upgrade. + + https://bugzilla.mozilla.org/show_bug.cgi?id=1623633 + + **Backwards incompatible changes** + + * Style attributes with dashes, or single or double quoted values are + cleaned instead of passed through. + + **Features** + + None + + **Bug fixes** + + None + Version 3.1.3 (March 17th, 2020) -------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bleach-3.1.3/tests/test_css.py new/bleach-3.1.4/tests/test_css.py --- old/bleach-3.1.3/tests/test_css.py 2020-03-17 16:26:03.000000000 +0100 +++ new/bleach-3.1.4/tests/test_css.py 2020-03-26 15:36:36.000000000 +0100 @@ -1,6 +1,7 @@ from __future__ import unicode_literals from functools import partial +from timeit import timeit import pytest @@ -37,10 +38,12 @@ '<p style="color: red;">bar</p>' ), # Handle leading - in attributes - ( + # regressed with the fix for bug 1623633 + pytest.param( '<p style="cursor: -moz-grab;">bar</p>', ['cursor'], - '<p style="cursor: -moz-grab;">bar</p>' + '<p style="cursor: -moz-grab;">bar</p>', + marks=pytest.mark.xfail, ), # Handle () in attributes ( @@ -54,16 +57,20 @@ '<p style="color: rgba(255,0,0,0.4);">bar</p>', ), # Handle ' in attributes - ( + # regressed with the fix for bug 1623633 + pytest.param( '<p style="text-overflow: \',\' ellipsis;">bar</p>', ['text-overflow'], - '<p style="text-overflow: \',\' ellipsis;">bar</p>' + '<p style="text-overflow: \',\' ellipsis;">bar</p>', + marks=pytest.mark.xfail, ), # Handle " in attributes - ( + # regressed with the fix for bug 1623633 + pytest.param( '<p style=\'text-overflow: "," ellipsis;\'>bar</p>', ['text-overflow'], - '<p style=\'text-overflow: "," ellipsis;\'>bar</p>' + '<p style=\'text-overflow: "," ellipsis;\'>bar</p>', + marks=pytest.mark.xfail, ), ( '<p style=\'font-family: "Arial";\'>bar</p>', @@ -223,3 +230,17 @@ def test_css_parsing_with_entities(data, styles, expected): """The sanitizer should be ok with character entities""" assert clean(data, tags=['p'], attributes={'p': ['style']}, styles=styles) == expected + + [email protected]('overlap_test_char', ["\"", "'", "-"]) +def test_css_parsing_gauntlet_regex_backtracking(overlap_test_char): + """The sanitizer gauntlet regex should not catastrophically backtrack""" + # refs: https://bugzilla.mozilla.org/show_bug.cgi?id=1623633 + + def time_clean(test_char, size): + style_attr_value = (test_char + 'a' + test_char) * size + '^' + stmt = """clean('''<a style='%s'></a>''', attributes={'a': ['style']})""" % style_attr_value + return timeit(stmt=stmt, setup='from bleach import clean', number=1) + + # should complete in less than one second + assert time_clean(overlap_test_char, 22) < 1.0
