Version in base suite: 3.1.0-1 Version in overlay suite: 3.1.1-0+deb10u1 Base version: python-bleach_3.1.1-0+deb10u1 Target version: python-bleach_3.1.2-0+deb10u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/p/python-bleach/python-bleach_3.1.1-0+deb10u1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/p/python-bleach/python-bleach_3.1.2-0+deb10u1.dsc CHANGES | 34 ++++++++++++++++++++++++++++++++++ bleach/__init__.py | 4 ++-- bleach/html5lib_shim.py | 13 ++++++++++++- debian/changelog | 7 +++++++ requirements-dev.txt | 3 +++ tests/test_clean.py | 27 +++++++++++++++++++++++++-- 6 files changed, 83 insertions(+), 5 deletions(-) diff -Nru python-bleach-3.1.1/CHANGES python-bleach-3.1.2/CHANGES --- python-bleach-3.1.1/CHANGES 2020-02-19 17:34:12.000000000 +0000 +++ python-bleach-3.1.2/CHANGES 2020-03-17 14:26:44.000000000 +0000 @@ -1,6 +1,40 @@ Bleach changes ============== +Version 3.1.2 (March 11th, 2020) +-------------------------------- + +**Security fixes** + +* ``bleach.clean`` behavior parsing embedded MathML and SVG content + with RCDATA tags did not match browser behavior and could result in + a mutation XSS. + + Calls to ``bleach.clean`` with ``strip=False`` and ``math`` or + ``svg`` tags and one or more of the RCDATA tags ``script``, + ``noscript``, ``style``, ``noframes``, ``iframe``, ``noembed``, or + ``xmp`` in the allowed tags whitelist were vulnerable to a mutation + XSS. + + This security issue was confirmed in Bleach version v3.1.1. Earlier + versions are likely affected too. + + Anyone using Bleach <=v3.1.1 is encouraged to upgrade. + + https://bugzilla.mozilla.org/show_bug.cgi?id=1621692 + +**Backwards incompatible changes** + +None + +**Features** + +None + +**Bug fixes** + +None + Version 3.1.1 (February 13th, 2020) ----------------------------------- diff -Nru python-bleach-3.1.1/bleach/__init__.py python-bleach-3.1.2/bleach/__init__.py --- python-bleach-3.1.1/bleach/__init__.py 2020-02-19 17:34:12.000000000 +0000 +++ python-bleach-3.1.2/bleach/__init__.py 2020-03-17 14:26:44.000000000 +0000 @@ -18,9 +18,9 @@ # yyyymmdd -__releasedate__ = '20200213' +__releasedate__ = '20200311' # x.y.z or x.y.z.dev0 -- semver -__version__ = '3.1.1' +__version__ = '3.1.2' VERSION = parse_version(__version__) diff -Nru python-bleach-3.1.1/bleach/html5lib_shim.py python-bleach-3.1.2/bleach/html5lib_shim.py --- python-bleach-3.1.1/bleach/html5lib_shim.py 2020-02-19 17:34:12.000000000 +0000 +++ python-bleach-3.1.2/bleach/html5lib_shim.py 2020-03-17 14:26:44.000000000 +0000 @@ -533,7 +533,18 @@ class BleachHTMLSerializer(HTMLSerializer): - """HTMLSerializer that undoes & -> & in attributes""" + """HTMLSerializer that undoes & -> & in attributes and sets + escape_rcdata to True + """ + + # per the HTMLSerializer.__init__ docstring: + # + # Whether to escape characters that need to be + # escaped within normal elements within rcdata elements such as + # style. + # + escape_rcdata = True + def escape_base_amp(self, stoken): """Escapes just bare & in HTML attribute values""" # First, undo escaping of &. We need to do this because html5lib's diff -Nru python-bleach-3.1.1/debian/changelog python-bleach-3.1.2/debian/changelog --- python-bleach-3.1.1/debian/changelog 2020-02-27 10:53:52.000000000 +0000 +++ python-bleach-3.1.2/debian/changelog 2020-03-19 04:14:11.000000000 +0000 @@ -1,3 +1,10 @@ +python-bleach (3.1.2-0+deb10u1) buster-security; urgency=high + + * New upstream security release (Closes: #954236) + - Addresses CVE-2020-6816 + + -- Scott Kitterman Thu, 19 Mar 2020 00:14:11 -0400 + python-bleach (3.1.1-0+deb10u1) buster-security; urgency=high * New upstream security release (Closes: #951907) diff -Nru python-bleach-3.1.1/requirements-dev.txt python-bleach-3.1.2/requirements-dev.txt --- python-bleach-3.1.1/requirements-dev.txt 2020-02-19 17:34:12.000000000 +0000 +++ python-bleach-3.1.2/requirements-dev.txt 2020-03-17 14:26:44.000000000 +0000 @@ -11,3 +11,6 @@ # Requirements for updating package twine + +# Requirements for running setup.py bdist_wheel +wheel diff -Nru python-bleach-3.1.1/tests/test_clean.py python-bleach-3.1.2/tests/test_clean.py --- python-bleach-3.1.1/tests/test_clean.py 2020-02-19 17:34:12.000000000 +0000 +++ python-bleach-3.1.2/tests/test_clean.py 2020-03-17 14:26:44.000000000 +0000 @@ -5,7 +5,7 @@ from bleach import clean from bleach.html5lib_shim import Filter from bleach.sanitizer import Cleaner - +from bleach._vendor.html5lib.constants import rcdataElements def test_clean_idempotent(): """Make sure that applying the filter twice doesn't change anything.""" @@ -787,7 +787,7 @@ ( raw_tag, "" % raw_tag, - "<img src=x onerror=alert(1) />" % raw_tag, + "<img src=x onerror=alert(1) />" % raw_tag, ) for raw_tag in _raw_tags ], @@ -797,6 +797,29 @@ assert clean(data, tags=["noscript", raw_tag]) == expected +@pytest.mark.parametrize( + "namespace_tag, rc_data_element_tag, data, expected", + [ + ( + namespace_tag, + rc_data_element_tag, + "<%s><%s>" % (namespace_tag, rc_data_element_tag), + "<%s><%s><img src=x onerror=alert(1)>" % (namespace_tag, rc_data_element_tag, rc_data_element_tag, namespace_tag), + ) + for namespace_tag in ["math", "svg"] + # https://dev.w3.org/html5/html-author/#rcdata-elements + # https://html.spec.whatwg.org/index.html#parsing-html-fragments + # in html5lib: 'style', 'script', 'xmp', 'iframe', 'noembed', 'noframes', and 'noscript' + for rc_data_element_tag in rcdataElements + ], +) +def test_namespace_rc_data_element_strip_false(namespace_tag, rc_data_element_tag, data, expected): + # refs: bug 1621692 / GHSA-m6xf-fq7q-8743 + # + # browsers will pull the img out of the namespace and rc data tag resulting in XSS + assert clean(data, tags=[namespace_tag, rc_data_element_tag], strip=False) == expected + + def get_ids_and_tests(): """Retrieves regression tests from data/ directory