Le mardi 02 juin 2020 à 20:46:16+0200, Salvatore Bonaccorso a écrit : > Hi > > [disclaimer, not part of the SRM so this is purely > informational/commenting] > > On Tue, Jun 02, 2020 at 08:30:45PM +0200, Pierre-Elliott Bécue wrote: > > +python-markdown2 (2.3.7-2+deb10u1) buster; urgency=medium > > + > > + * Add d/p/0001 To fix CVE-2020-11888, thanks to Gareth Simpson > > As you can close a bug with multiple versions you might add as well > the bug closure for #959445 as well here so once the fix enters buster > the BTS will update the fixed versions accordingly.
Thanks! Here's the adapted debdiff! -- Pierre-Elliott Bécue GPG: 9AE0 4D98 6400 E3B6 7528 F493 0D44 2664 1949 74E2 It's far easier to fight for one's principles than to live up to them.
diff -Nru python-markdown2-2.3.7/debian/changelog python-markdown2-2.3.7/debian/changelog --- python-markdown2-2.3.7/debian/changelog 2019-02-02 18:27:36.000000000 +0100 +++ python-markdown2-2.3.7/debian/changelog 2020-06-02 20:23:22.000000000 +0200 @@ -1,3 +1,11 @@ +python-markdown2 (2.3.7-2+deb10u1) buster; urgency=medium + + * Add d/p/0001 To fix CVE-2020-11888, thanks to Gareth Simpson + Closes: #959445 + * Add a d/gbp.conf file to ease-up gbp's mind + + -- Pierre-Elliott Bécue <p...@debian.org> Tue, 02 Jun 2020 20:23:22 +0200 + python-markdown2 (2.3.7-2) unstable; urgency=medium * Team upload diff -Nru python-markdown2-2.3.7/debian/gbp.conf python-markdown2-2.3.7/debian/gbp.conf --- python-markdown2-2.3.7/debian/gbp.conf 1970-01-01 01:00:00.000000000 +0100 +++ python-markdown2-2.3.7/debian/gbp.conf 2020-06-02 20:23:22.000000000 +0200 @@ -0,0 +1,3 @@ +[DEFAULT] +pristine-tar = True +debian-branch = debian/buster diff -Nru python-markdown2-2.3.7/debian/patches/0001-Incomplete-tags-with-punctuation-after-as-part-of-th.patch python-markdown2-2.3.7/debian/patches/0001-Incomplete-tags-with-punctuation-after-as-part-of-th.patch --- python-markdown2-2.3.7/debian/patches/0001-Incomplete-tags-with-punctuation-after-as-part-of-th.patch 1970-01-01 01:00:00.000000000 +0100 +++ python-markdown2-2.3.7/debian/patches/0001-Incomplete-tags-with-punctuation-after-as-part-of-th.patch 2020-06-02 20:23:22.000000000 +0200 @@ -0,0 +1,73 @@ +From: Gareth Simpson <g...@xurble.org> +Date: Tue, 2 Jun 2020 20:14:30 +0200 +Subject: Incomplete tags with punctuation after as part of the tag name are a + source of XSS +Bug: https://github.com/trentm/python-markdown2/issues/348 + +Fixes CVE-2020-11888. + +python-markdown2 through 2.3.8 allows XSS because element names are +mishandled unless a \w+ match succeeds. For example, an attack might use +elementname@ or elementname- with an onclick attribute. +--- + lib/markdown2.py | 9 ++++++--- + test/tm-cases/issue348_incomplete_tag.html | 1 + + test/tm-cases/issue348_incomplete_tag.opts | 1 + + test/tm-cases/issue348_incomplete_tag.text | 1 + + 4 files changed, 9 insertions(+), 3 deletions(-) + create mode 100644 test/tm-cases/issue348_incomplete_tag.html + create mode 100644 test/tm-cases/issue348_incomplete_tag.opts + create mode 100644 test/tm-cases/issue348_incomplete_tag.text + +diff --git a/lib/markdown2.py b/lib/markdown2.py +index 16672f5..bd9fe0c 100755 +--- a/lib/markdown2.py ++++ b/lib/markdown2.py +@@ -1772,7 +1772,7 @@ class Markdown(object): + lexer_name = lexer_name[3:].strip() + codeblock = rest.lstrip("\n") # Remove lexer declaration line. + formatter_opts = self.extras['code-color'] or {} +- ++ + # Use pygments only if not using the highlightjs-lang extra + if lexer_name and "highlightjs-lang" not in self.extras: + def unhash_code(codeblock): +@@ -2134,12 +2134,15 @@ class Markdown(object): + text = self._naked_gt_re.sub('>', text) + return text + +- _incomplete_tags_re = re.compile("<(/?\w+[\s/]+?)") ++ _incomplete_tags_re = re.compile("<(/?\w+?(?!\w).+?[\s/]+?)") + + def _encode_incomplete_tags(self, text): + if self.safe_mode not in ("replace", "escape"): + return text +- ++ ++ if text.endswith(">"): ++ return text # this is not an incomplete tag, this is a link in the form <http://x.y.z> ++ + return self._incomplete_tags_re.sub("<\\1", text) + + def _encode_backslash_escapes(self, text): +diff --git a/test/tm-cases/issue348_incomplete_tag.html b/test/tm-cases/issue348_incomplete_tag.html +new file mode 100644 +index 0000000..46059cc +--- /dev/null ++++ b/test/tm-cases/issue348_incomplete_tag.html +@@ -0,0 +1 @@ ++<p><lol@/ //id="pwn"//onclick="alert(1)"//<strong>abc</strong></p> +diff --git a/test/tm-cases/issue348_incomplete_tag.opts b/test/tm-cases/issue348_incomplete_tag.opts +new file mode 100644 +index 0000000..ad487c0 +--- /dev/null ++++ b/test/tm-cases/issue348_incomplete_tag.opts +@@ -0,0 +1 @@ ++{"safe_mode": "escape"} +diff --git a/test/tm-cases/issue348_incomplete_tag.text b/test/tm-cases/issue348_incomplete_tag.text +new file mode 100644 +index 0000000..bb4a0de +--- /dev/null ++++ b/test/tm-cases/issue348_incomplete_tag.text +@@ -0,0 +1 @@ ++<lol@/ //id="pwn"//onclick="alert(1)"//**abc** diff -Nru python-markdown2-2.3.7/debian/patches/series python-markdown2-2.3.7/debian/patches/series --- python-markdown2-2.3.7/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ python-markdown2-2.3.7/debian/patches/series 2020-06-02 20:23:22.000000000 +0200 @@ -0,0 +1 @@ +0001-Incomplete-tags-with-punctuation-after-as-part-of-th.patch
signature.asc
Description: PGP signature
