Bug 684877 (CVE-2009-5065, CVE-2011-1156, CVE-2011-1157, CVE-2011-1158)

Summary: CVE-2009-5065 CVE-2011-1156 CVE-2011-1157 CVE-2011-1158 python-feedparser: multiple flaws corrected in version 5.0.1
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bugs.michael, extras-orphan, jpopelka, karlthered, lmacken
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-01-17 07:09:29 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 684878, 684879    
Bug Blocks:    

Description Vincent Danen 2011-03-14 17:21:54 UTC 
The Python Feed Parser program (python-feedparser) recently released version 5.0.1 with the following fixes:

* Fix  issue 91  (invalid text in XML declaration causes sanitizer to crash)
* Fix  issue 254  (sanitization can be bypassed by malformed XML comments)
* Fix  issue 255  (sanitizer doesn't strip unsafe URI schemes) 

Giving the code a quick look, I don't believe the latter two issues affected 4.1 (possibly introduced in the 5.0 release).  The first issue was reported against version 4.1 so would affect what we currently ship in Fedora and EPEL.

Version 5.0.1 corrects these flaws.  It may be worthwhile to update to the latest version as the 5.0 release corrected a number of bugs and adds CSS/HTML5 sanitization.
Comment 1 Vincent Danen 2011-03-14 17:23:15 UTC 
Created python-feedparser tracking bugs for this issue

Affects: fedora-all [bug 684878]
Affects: epel-all [bug 684879]
Comment 2 Vincent Danen 2011-03-15 21:00:48 UTC 
The following CVE names were assigned for these issues:

issue 91 received the name CVE-2011-1156

issue 254 received the name CVE-2011-1157

issue 255 received the name CVE-2011-1158

http://openwall.com/lists/oss-security/2011/03/15/11
Comment 3 Vincent Danen 2011-03-16 15:58:53 UTC 
There is another issue that would affect our version of python-feedparser (XSS vuln):

http://code.google.com/p/feedparser/issues/detail?id=195

This would be fixed in the 5.0 release.  It does not yet have a CVE name.
Comment 4 Vincent Danen 2011-04-05 17:13:05 UTC 
The XSS issue noted in comment #3 has been assigned the name CVE-2009-5065.
Comment 5 Luke Macken 2011-04-05 19:04:10 UTC 
I just submitted python-feedparser-5.0.1 as an update for F15, F14, F13, EL6, and EL5.

https://admin.fedoraproject.org/updates/python-feedparser
Comment 6 Vincent Danen 2012-01-17 07:09:29 UTC 
Fedora and EPEL5/6 have been updated to 5.0.1.  python-feedparser on EPEL4 is noted as being an orphan package, and with RHEL4 EOL coming soon, I suspect if it hasn't been updated there by now, it won't be before EOL.