[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#962059: marked as done (buster-pu: package python-markdown2/2.3.7-2)

Your message dated Sat, 01 Aug 2020 12:51:28 +0100
with message-id <43535efb498a168cf81452ca0c326f004f46adc6.camel@adam-barratt.org.uk>
and subject line Closing bugs for fixes included in 10.5 point release
has caused the Debian Bug report #962059,
regarding buster-pu: package python-markdown2/2.3.7-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
962059: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=962059
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu

Dear Release Managers,

I'd like to have python-markdown2 updated in Buster, due to a CVE:
CVE-2020-11888.

I attached a debdiff with the bug report, and the update is the
simple adding of debian/patches/0001.

I've also added a gbp.conf to have gbp stop complaining when I don't
give it the proper branch to build, this addition doesn't change the
binary packages.

Note that I've uploaded python-markdown2 2.3.9-1 to unstable 15 minutes
ago. It ships the CVE fix, and should be visible in the archive soon.

Thanks a lot for your work! :)

-- System Information:
Debian Release: 10.4
  APT prefers stable
  APT policy: (990, 'stable'), (500, 'stable-updates'), (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-8-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT_USER
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to fr_FR.UTF-8), LANGUAGE=fr_FR.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to fr_FR.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

diff -Nru python-markdown2-2.3.7/debian/changelog python-markdown2-2.3.7/debian/changelog
--- python-markdown2-2.3.7/debian/changelog	2019-02-02 18:27:36.000000000 +0100
+++ python-markdown2-2.3.7/debian/changelog	2020-06-02 20:23:22.000000000 +0200
@@ -1,3 +1,10 @@
+python-markdown2 (2.3.7-2+deb10u1) buster; urgency=medium
+
+  * Add d/p/0001 To fix CVE-2020-11888, thanks to Gareth Simpson
+  * Add a d/gbp.conf file to ease-up gbp's mind
+
+ -- Pierre-Elliott Bécue <peb@debian.org>  Tue, 02 Jun 2020 20:23:22 +0200
+
 python-markdown2 (2.3.7-2) unstable; urgency=medium
 
   * Team upload
diff -Nru python-markdown2-2.3.7/debian/gbp.conf python-markdown2-2.3.7/debian/gbp.conf
--- python-markdown2-2.3.7/debian/gbp.conf	1970-01-01 01:00:00.000000000 +0100
+++ python-markdown2-2.3.7/debian/gbp.conf	2020-06-02 20:23:18.000000000 +0200
@@ -0,0 +1,3 @@
+[DEFAULT]
+pristine-tar = True
+debian-branch = debian/buster
diff -Nru python-markdown2-2.3.7/debian/patches/0001-Incomplete-tags-with-punctuation-after-as-part-of-th.patch python-markdown2-2.3.7/debian/patches/0001-Incomplete-tags-with-punctuation-after-as-part-of-th.patch
--- python-markdown2-2.3.7/debian/patches/0001-Incomplete-tags-with-punctuation-after-as-part-of-th.patch	1970-01-01 01:00:00.000000000 +0100
+++ python-markdown2-2.3.7/debian/patches/0001-Incomplete-tags-with-punctuation-after-as-part-of-th.patch	2020-06-02 20:22:52.000000000 +0200
@@ -0,0 +1,73 @@
+From: Gareth Simpson <g@xurble.org>
+Date: Tue, 2 Jun 2020 20:14:30 +0200
+Subject: Incomplete tags with punctuation after as part of the tag name are a
+ source of XSS
+Bug: https://github.com/trentm/python-markdown2/issues/348
+
+Fixes CVE-2020-11888.
+
+python-markdown2 through 2.3.8 allows XSS because element names are
+mishandled unless a \w+ match succeeds. For example, an attack might use
+elementname@ or elementname- with an onclick attribute.
+---
+ lib/markdown2.py                           | 9 ++++++---
+ test/tm-cases/issue348_incomplete_tag.html | 1 +
+ test/tm-cases/issue348_incomplete_tag.opts | 1 +
+ test/tm-cases/issue348_incomplete_tag.text | 1 +
+ 4 files changed, 9 insertions(+), 3 deletions(-)
+ create mode 100644 test/tm-cases/issue348_incomplete_tag.html
+ create mode 100644 test/tm-cases/issue348_incomplete_tag.opts
+ create mode 100644 test/tm-cases/issue348_incomplete_tag.text
+
+diff --git a/lib/markdown2.py b/lib/markdown2.py
+index 16672f5..bd9fe0c 100755
+--- a/lib/markdown2.py
++++ b/lib/markdown2.py
+@@ -1772,7 +1772,7 @@ class Markdown(object):
+                 lexer_name = lexer_name[3:].strip()
+                 codeblock = rest.lstrip("\n")   # Remove lexer declaration line.
+                 formatter_opts = self.extras['code-color'] or {}
+-        
++
+         # Use pygments only if not using the highlightjs-lang extra
+         if lexer_name and "highlightjs-lang" not in self.extras:
+             def unhash_code(codeblock):
+@@ -2134,12 +2134,15 @@ class Markdown(object):
+         text = self._naked_gt_re.sub('&gt;', text)
+         return text
+ 
+-    _incomplete_tags_re = re.compile("<(/?\w+[\s/]+?)")
++    _incomplete_tags_re = re.compile("<(/?\w+?(?!\w).+?[\s/]+?)")
+ 
+     def _encode_incomplete_tags(self, text):
+         if self.safe_mode not in ("replace", "escape"):
+             return text
+-            
++
++        if text.endswith(">"):
++            return text  # this is not an incomplete tag, this is a link in the form <http://x.y.z>
++
+         return self._incomplete_tags_re.sub("&lt;\\1", text)
+ 
+     def _encode_backslash_escapes(self, text):
+diff --git a/test/tm-cases/issue348_incomplete_tag.html b/test/tm-cases/issue348_incomplete_tag.html
+new file mode 100644
+index 0000000..46059cc
+--- /dev/null
++++ b/test/tm-cases/issue348_incomplete_tag.html
+@@ -0,0 +1 @@
++<p>&lt;lol@/ //id="pwn"//onclick="alert(1)"//<strong>abc</strong></p>
+diff --git a/test/tm-cases/issue348_incomplete_tag.opts b/test/tm-cases/issue348_incomplete_tag.opts
+new file mode 100644
+index 0000000..ad487c0
+--- /dev/null
++++ b/test/tm-cases/issue348_incomplete_tag.opts
+@@ -0,0 +1 @@
++{"safe_mode": "escape"}
+diff --git a/test/tm-cases/issue348_incomplete_tag.text b/test/tm-cases/issue348_incomplete_tag.text
+new file mode 100644
+index 0000000..bb4a0de
+--- /dev/null
++++ b/test/tm-cases/issue348_incomplete_tag.text
+@@ -0,0 +1 @@
++<lol@/ //id="pwn"//onclick="alert(1)"//**abc**
diff -Nru python-markdown2-2.3.7/debian/patches/series python-markdown2-2.3.7/debian/patches/series
--- python-markdown2-2.3.7/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ python-markdown2-2.3.7/debian/patches/series	2020-06-02 20:22:52.000000000 +0200
@@ -0,0 +1 @@
+0001-Incomplete-tags-with-punctuation-after-as-part-of-th.patch

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 10.5

Hi,

Each of these bugs relates to an update that was included in today's
stable point release.

Regards,

Adam

--- End Message ---
Reply to: