Bug#962059: buster-pu: package python-markdown2/2.3.7-2
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
Dear Release Managers,
I'd like to have python-markdown2 updated in Buster, due to a CVE:
CVE-2020-11888.
I attached a debdiff with the bug report, and the update is the
simple adding of debian/patches/0001.
I've also added a gbp.conf to have gbp stop complaining when I don't
give it the proper branch to build, this addition doesn't change the
binary packages.
Note that I've uploaded python-markdown2 2.3.9-1 to unstable 15 minutes
ago. It ships the CVE fix, and should be visible in the archive soon.
Thanks a lot for your work! :)
-- System Information:
Debian Release: 10.4
APT prefers stable
APT policy: (990, 'stable'), (500, 'stable-updates'), (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-8-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT_USER
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to fr_FR.UTF-8), LANGUAGE=fr_FR.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to fr_FR.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff -Nru python-markdown2-2.3.7/debian/changelog python-markdown2-2.3.7/debian/changelog
--- python-markdown2-2.3.7/debian/changelog 2019-02-02 18:27:36.000000000 +0100
+++ python-markdown2-2.3.7/debian/changelog 2020-06-02 20:23:22.000000000 +0200
@@ -1,3 +1,10 @@
+python-markdown2 (2.3.7-2+deb10u1) buster; urgency=medium
+
+ * Add d/p/0001 To fix CVE-2020-11888, thanks to Gareth Simpson
+ * Add a d/gbp.conf file to ease-up gbp's mind
+
+ -- Pierre-Elliott Bécue <peb@debian.org> Tue, 02 Jun 2020 20:23:22 +0200
+
python-markdown2 (2.3.7-2) unstable; urgency=medium
* Team upload
diff -Nru python-markdown2-2.3.7/debian/gbp.conf python-markdown2-2.3.7/debian/gbp.conf
--- python-markdown2-2.3.7/debian/gbp.conf 1970-01-01 01:00:00.000000000 +0100
+++ python-markdown2-2.3.7/debian/gbp.conf 2020-06-02 20:23:18.000000000 +0200
@@ -0,0 +1,3 @@
+[DEFAULT]
+pristine-tar = True
+debian-branch = debian/buster
diff -Nru python-markdown2-2.3.7/debian/patches/0001-Incomplete-tags-with-punctuation-after-as-part-of-th.patch python-markdown2-2.3.7/debian/patches/0001-Incomplete-tags-with-punctuation-after-as-part-of-th.patch
--- python-markdown2-2.3.7/debian/patches/0001-Incomplete-tags-with-punctuation-after-as-part-of-th.patch 1970-01-01 01:00:00.000000000 +0100
+++ python-markdown2-2.3.7/debian/patches/0001-Incomplete-tags-with-punctuation-after-as-part-of-th.patch 2020-06-02 20:22:52.000000000 +0200
@@ -0,0 +1,73 @@
+From: Gareth Simpson <g@xurble.org>
+Date: Tue, 2 Jun 2020 20:14:30 +0200
+Subject: Incomplete tags with punctuation after as part of the tag name are a
+ source of XSS
+Bug: https://github.com/trentm/python-markdown2/issues/348
+
+Fixes CVE-2020-11888.
+
+python-markdown2 through 2.3.8 allows XSS because element names are
+mishandled unless a \w+ match succeeds. For example, an attack might use
+elementname@ or elementname- with an onclick attribute.
+---
+ lib/markdown2.py | 9 ++++++---
+ test/tm-cases/issue348_incomplete_tag.html | 1 +
+ test/tm-cases/issue348_incomplete_tag.opts | 1 +
+ test/tm-cases/issue348_incomplete_tag.text | 1 +
+ 4 files changed, 9 insertions(+), 3 deletions(-)
+ create mode 100644 test/tm-cases/issue348_incomplete_tag.html
+ create mode 100644 test/tm-cases/issue348_incomplete_tag.opts
+ create mode 100644 test/tm-cases/issue348_incomplete_tag.text
+
+diff --git a/lib/markdown2.py b/lib/markdown2.py
+index 16672f5..bd9fe0c 100755
+--- a/lib/markdown2.py
++++ b/lib/markdown2.py
+@@ -1772,7 +1772,7 @@ class Markdown(object):
+ lexer_name = lexer_name[3:].strip()
+ codeblock = rest.lstrip("\n") # Remove lexer declaration line.
+ formatter_opts = self.extras['code-color'] or {}
+-
++
+ # Use pygments only if not using the highlightjs-lang extra
+ if lexer_name and "highlightjs-lang" not in self.extras:
+ def unhash_code(codeblock):
+@@ -2134,12 +2134,15 @@ class Markdown(object):
+ text = self._naked_gt_re.sub('>', text)
+ return text
+
+- _incomplete_tags_re = re.compile("<(/?\w+[\s/]+?)")
++ _incomplete_tags_re = re.compile("<(/?\w+?(?!\w).+?[\s/]+?)")
+
+ def _encode_incomplete_tags(self, text):
+ if self.safe_mode not in ("replace", "escape"):
+ return text
+-
++
++ if text.endswith(">"):
++ return text # this is not an incomplete tag, this is a link in the form <http://x.y.z>
++
+ return self._incomplete_tags_re.sub("<\\1", text)
+
+ def _encode_backslash_escapes(self, text):
+diff --git a/test/tm-cases/issue348_incomplete_tag.html b/test/tm-cases/issue348_incomplete_tag.html
+new file mode 100644
+index 0000000..46059cc
+--- /dev/null
++++ b/test/tm-cases/issue348_incomplete_tag.html
+@@ -0,0 +1 @@
++<p><lol@/ //id="pwn"//onclick="alert(1)"//<strong>abc</strong></p>
+diff --git a/test/tm-cases/issue348_incomplete_tag.opts b/test/tm-cases/issue348_incomplete_tag.opts
+new file mode 100644
+index 0000000..ad487c0
+--- /dev/null
++++ b/test/tm-cases/issue348_incomplete_tag.opts
+@@ -0,0 +1 @@
++{"safe_mode": "escape"}
+diff --git a/test/tm-cases/issue348_incomplete_tag.text b/test/tm-cases/issue348_incomplete_tag.text
+new file mode 100644
+index 0000000..bb4a0de
+--- /dev/null
++++ b/test/tm-cases/issue348_incomplete_tag.text
+@@ -0,0 +1 @@
++<lol@/ //id="pwn"//onclick="alert(1)"//**abc**
diff -Nru python-markdown2-2.3.7/debian/patches/series python-markdown2-2.3.7/debian/patches/series
--- python-markdown2-2.3.7/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ python-markdown2-2.3.7/debian/patches/series 2020-06-02 20:22:52.000000000 +0200
@@ -0,0 +1 @@
+0001-Incomplete-tags-with-punctuation-after-as-part-of-th.patch
Reply to: