Bug 1092613 - (CVE-2014-3146) CVE-2014-3146 python-lxml: clean_html input sanitization flaw
CVE-2014-3146 python-lxml: clean_html input sanitization flaw
Status: CLOSED WONTFIX
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20140415,reported=2...
: Security
Depends On: 1092614
Blocks: 1092616
  Show dependency treegraph
 
Reported: 2014-04-29 10:55 EDT by Martin Prpic
Modified: 2015-08-22 02:50 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-08-22 02:50:44 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Martin Prpic 2014-04-29 10:55:01 EDT
The lxml.html.clean module cleans up HTML by removing embedded or script content, special tags, CSS style annotations and much more. It was found [1] that the clean_html() function, provided by the lxml.html.clean module, did not properly clean HTML input if it included non-printed characters (\x01-\x08). A remote attacker could use this flaw to serve malicious content to an application using the clean_html() function to process HTML, possibly allowing the attacker to inject malicious code into a website generated by this application.

This issue has been reported upstream at [2] and a patch is available at [3].

[1] http://seclists.org/fulldisclosure/2014/Apr/210
[2] https://mailman-mail5.webfaction.com/pipermail/lxml/2014-April/007128.html
[3] https://github.com/lxml/lxml/commit/e86b294f1f81b899a59925123560ff924a72f1cc
Comment 1 Martin Prpic 2014-04-29 10:57:09 EDT
Created python-lxml tracking bugs for this issue:

Affects: epel-5 [bug 1092614]
Comment 2 Jeffrey C. Ollie 2014-04-29 11:13:52 EDT
Is this patch included in 3.3.5?  The release notes would seem to indicate that it was, but I want to make sure.  I submitted 3.3.5 packages yesterday but it does not look like they have been pushed to the mirrors yet.

https://admin.fedoraproject.org/updates/python-lxml-3.3.5-1.fc20
https://admin.fedoraproject.org/updates/python-lxml-3.3.5-1.fc19
Comment 3 Martin Prpic 2014-04-30 09:18:04 EDT
(In reply to Jeffrey C. Ollie from comment #2)
> Is this patch included in 3.3.5?  The release notes would seem to indicate
> that it was, but I want to make sure.  I submitted 3.3.5 packages yesterday
> but it does not look like they have been pushed to the mirrors yet.
> 
> https://admin.fedoraproject.org/updates/python-lxml-3.3.5-1.fc20
> https://admin.fedoraproject.org/updates/python-lxml-3.3.5-1.fc19

Hi Jeffrey,

I checked the sources of the builds you link to and they both include the patch that fixes this issue. Both builds are in testing and will be pushed to stable updates once they get enough karma or the in-testing time passes.
Comment 4 Fedora Update System 2014-05-02 17:02:32 EDT
python-lxml-3.3.5-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Fedora Update System 2014-05-08 06:00:27 EDT
python-lxml-3.3.5-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Vincent Danen 2015-08-22 02:50:32 EDT
Statement:

Red Hat Product Security has rated this issue as having Low security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

Note You need to log in before you can comment on or make changes to this bug.