Security review: It has had 4 CVEs: - CVE-2009-5065: XSS - one line patch, tests added - CVE-2011-1156: crash via malformed DOCTYPE - contained fix, test added - CVE-2011-1157: XSS - contained fix, test added - CVE-2011-1158: XSS - 3 line patch, test added
The package, like Michael said, is a python library to download and parse feeds. It seems to be coded well with html sanitization happening via the Recommended python-utidylib library. Beyond the python-utidylib library, it also filters out dangerous HTML and enforces the use of only a subset of HTML. Design is such that input must go through sanitization routines, and the aforementioned XSS vulnerabilities were all easy to fix as a result. I tried some basic XSS attacks via crafted feeds and feedparser seems resistant to attack. While I can't say there are no more vulnerabilities in feedparser, it does seem both well maintained and well designed which should make this supportable in Ubuntu. feedparser has a testsuite that is not enabled in the build: $ cd feedparser ; python feedparsertest.py Ran 4121 tests in 14.690s I ran this in a VM with tcpdump monitoring network traffic and I didn't see it trying to use the network. In addition to the 4121 existing tests, I noticed that for every CVE fixed, upstream added a test case. I would like to see the testsuite enabled in the build as a condition of this MIR. Once that is done, feedparser has security team signoff. ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2009-5065 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2011-1156 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2011-1157 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2011-1158 ** Changed in: feedparser (Ubuntu) Assignee: Jamie Strandboge (jdstrand) => Chuck Short (zulcss) ** Changed in: feedparser (Ubuntu) Status: In Progress => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/879520 Title: [MIR] python-feedparser To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/feedparser/+bug/879520/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
