Le mardi 02 juin 2020 à 20:46:16+0200, Salvatore Bonaccorso a écrit : > Hi > > [disclaimer, not part of the SRM so this is purely > informational/commenting] > > On Tue, Jun 02, 2020 at 08:30:45PM +0200, Pierre-Elliott Bécue wrote: > > +python-markdown2 (2.3.7-2+deb10u1) buster; urgency=medium > > + > > + * Add d/p/0001 To fix CVE-2020-11888, thanks to Gareth Simpson > > As you can close a bug with multiple versions you might add as well > the bug closure for #959445 as well here so once the fix enters buster > the BTS will update the fixed versions accordingly. Thanks! Here's the adapted debdiff! -- Pierre-Elliott Bécue GPG: 9AE0 4D98 6400 E3B6 7528 F493 0D44 2664 1949 74E2 It's far easier to fight for one's principles than to live up to them.
diff -Nru python-markdown2-2.3.7/debian/changelog python-markdown2-2.3.7/debian/changelog
--- python-markdown2-2.3.7/debian/changelog 2019-02-02 18:27:36.000000000 +0100
+++ python-markdown2-2.3.7/debian/changelog 2020-06-02 20:23:22.000000000 +0200
@@ -1,3 +1,11 @@
+python-markdown2 (2.3.7-2+deb10u1) buster; urgency=medium
+
+ * Add d/p/0001 To fix CVE-2020-11888, thanks to Gareth Simpson
+ Closes: #959445
+ * Add a d/gbp.conf file to ease-up gbp's mind
+
+ -- Pierre-Elliott Bécue <peb@debian.org> Tue, 02 Jun 2020 20:23:22 +0200
+
python-markdown2 (2.3.7-2) unstable; urgency=medium
* Team upload
diff -Nru python-markdown2-2.3.7/debian/gbp.conf python-markdown2-2.3.7/debian/gbp.conf
--- python-markdown2-2.3.7/debian/gbp.conf 1970-01-01 01:00:00.000000000 +0100
+++ python-markdown2-2.3.7/debian/gbp.conf 2020-06-02 20:23:22.000000000 +0200
@@ -0,0 +1,3 @@
+[DEFAULT]
+pristine-tar = True
+debian-branch = debian/buster
diff -Nru python-markdown2-2.3.7/debian/patches/0001-Incomplete-tags-with-punctuation-after-as-part-of-th.patch python-markdown2-2.3.7/debian/patches/0001-Incomplete-tags-with-punctuation-after-as-part-of-th.patch
--- python-markdown2-2.3.7/debian/patches/0001-Incomplete-tags-with-punctuation-after-as-part-of-th.patch 1970-01-01 01:00:00.000000000 +0100
+++ python-markdown2-2.3.7/debian/patches/0001-Incomplete-tags-with-punctuation-after-as-part-of-th.patch 2020-06-02 20:23:22.000000000 +0200
@@ -0,0 +1,73 @@
+From: Gareth Simpson <g@xurble.org>
+Date: Tue, 2 Jun 2020 20:14:30 +0200
+Subject: Incomplete tags with punctuation after as part of the tag name are a
+ source of XSS
+Bug: https://github.com/trentm/python-markdown2/issues/348
+
+Fixes CVE-2020-11888.
+
+python-markdown2 through 2.3.8 allows XSS because element names are
+mishandled unless a \w+ match succeeds. For example, an attack might use
+elementname@ or elementname- with an onclick attribute.
+---
+ lib/markdown2.py | 9 ++++++---
+ test/tm-cases/issue348_incomplete_tag.html | 1 +
+ test/tm-cases/issue348_incomplete_tag.opts | 1 +
+ test/tm-cases/issue348_incomplete_tag.text | 1 +
+ 4 files changed, 9 insertions(+), 3 deletions(-)
+ create mode 100644 test/tm-cases/issue348_incomplete_tag.html
+ create mode 100644 test/tm-cases/issue348_incomplete_tag.opts
+ create mode 100644 test/tm-cases/issue348_incomplete_tag.text
+
+diff --git a/lib/markdown2.py b/lib/markdown2.py
+index 16672f5..bd9fe0c 100755
+--- a/lib/markdown2.py
++++ b/lib/markdown2.py
+@@ -1772,7 +1772,7 @@ class Markdown(object):
+ lexer_name = lexer_name[3:].strip()
+ codeblock = rest.lstrip("\n") # Remove lexer declaration line.
+ formatter_opts = self.extras['code-color'] or {}
+-
++
+ # Use pygments only if not using the highlightjs-lang extra
+ if lexer_name and "highlightjs-lang" not in self.extras:
+ def unhash_code(codeblock):
+@@ -2134,12 +2134,15 @@ class Markdown(object):
+ text = self._naked_gt_re.sub('>', text)
+ return text
+
+- _incomplete_tags_re = re.compile("<(/?\w+[\s/]+?)")
++ _incomplete_tags_re = re.compile("<(/?\w+?(?!\w).+?[\s/]+?)")
+
+ def _encode_incomplete_tags(self, text):
+ if self.safe_mode not in ("replace", "escape"):
+ return text
+-
++
++ if text.endswith(">"):
++ return text # this is not an incomplete tag, this is a link in the form <http://x.y.z>
++
+ return self._incomplete_tags_re.sub("<\\1", text)
+
+ def _encode_backslash_escapes(self, text):
+diff --git a/test/tm-cases/issue348_incomplete_tag.html b/test/tm-cases/issue348_incomplete_tag.html
+new file mode 100644
+index 0000000..46059cc
+--- /dev/null
++++ b/test/tm-cases/issue348_incomplete_tag.html
+@@ -0,0 +1 @@
++<p><lol@/ //id="pwn"//onclick="alert(1)"//<strong>abc</strong></p>
+diff --git a/test/tm-cases/issue348_incomplete_tag.opts b/test/tm-cases/issue348_incomplete_tag.opts
+new file mode 100644
+index 0000000..ad487c0
+--- /dev/null
++++ b/test/tm-cases/issue348_incomplete_tag.opts
+@@ -0,0 +1 @@
++{"safe_mode": "escape"}
+diff --git a/test/tm-cases/issue348_incomplete_tag.text b/test/tm-cases/issue348_incomplete_tag.text
+new file mode 100644
+index 0000000..bb4a0de
+--- /dev/null
++++ b/test/tm-cases/issue348_incomplete_tag.text
+@@ -0,0 +1 @@
++<lol@/ //id="pwn"//onclick="alert(1)"//**abc**
diff -Nru python-markdown2-2.3.7/debian/patches/series python-markdown2-2.3.7/debian/patches/series
--- python-markdown2-2.3.7/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ python-markdown2-2.3.7/debian/patches/series 2020-06-02 20:23:22.000000000 +0200
@@ -0,0 +1 @@
+0001-Incomplete-tags-with-punctuation-after-as-part-of-th.patch
Attachment:
signature.asc
Description: PGP signature