Bug 877258 (CVE-2014-3146) - VUL-0: CVE-2014-3146: python-lxml: clean_html input sanitization flaw
Summary: VUL-0: CVE-2014-3146: python-lxml: clean_html input sanitization flaw
Status: RESOLVED FIXED
Alias: CVE-2014-3146
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Deadline: 2014-09-09
Assignee: Thomas Schraitle
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/98697/
Whiteboard: maint:released:sle11-sp1:58717 maint:...
Keywords:
Depends on:
Blocks:
 
Reported: 2014-05-12 05:25 UTC by Sebastian Krahmer
Modified: 2014-11-13 12:20 UTC (History)
5 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Swamp Workflow Management 2014-05-12 22:00:20 UTC 
bugbot adjusting priority
Comment 3 Bernhard Wiedemann 2014-05-23 08:00:15 UTC 
This is an autogenerated message for OBS integration:
This bug (877258) was mentioned in
https://build.opensuse.org/request/show/235149 13.1 / python-lxml
https://build.opensuse.org/request/show/235150 12.3 / python-lxml+python3-lxml
Comment 4 Thomas Schraitle 2014-05-28 10:28:16 UTC 
Resolved issue with the above commit.
Comment 5 Sebastian Krahmer 2014-05-28 11:19:05 UTC 
reopened for tracking. SLE not necessary to fix?
Comment 6 Sebastian Krahmer 2014-05-28 11:19:37 UTC 
.
Comment 7 Swamp Workflow Management 2014-05-30 15:04:39 UTC 
openSUSE-SU-2014:0735-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 657698,877258
CVE References: CVE-2014-3146
Sources used:
openSUSE 13.1 (src):    python-lxml-3.2.3-2.5.1
openSUSE 12.3 (src):    python-lxml-2.3.4-6.4.1, python3-lxml-2.3.4-6.4.1
Comment 8 Thomas Biege 2014-06-22 10:24:18 UTC 
Thomas, can you check if SLE is affected please. Thanks.
Comment 12 Alexander Bergmann 2014-08-26 16:22:21 UTC 
Upstream fix:

https://github.com/lxml/lxml/commit/e86b294f1f81b899a59925123560ff924a72f1cc

I've just checked the openSUSE submissions again and found a problem there.

1. The 12.3 submission for python3-lxml has a patch included, but the patch got not applied inside the %prep section.

2. We missed to fix this python3-lxml problem for 13.1.

3. We need a submission with the above python-lxml fix for SLE-11-SP1-TD and SLE-11-SP3.

4. The python-lxml package for SLE-12 is on version lxml-3.2.3 and does not have this fix. The python3-lxml package on the other hand in on version lxml-3.3.5 where the fix is already included. Therefore please upgrade the python-lxml package to the same version as python3-lxml.
Comment 13 Swamp Workflow Management 2014-08-26 16:22:45 UTC 
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2014-09-09.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/58716
Comment 14 SMASH SMASH 2014-08-26 16:25:12 UTC 
Affected packages:

SLE-11-SP1: python-lxml
SLE-11-SP3: python-lxml
Comment 18 Swamp Workflow Management 2014-10-10 23:04:56 UTC 
SUSE-SU-2014:1282-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 877258
CVE References: CVE-2014-3146
Sources used:
SUSE Linux Enterprise Software Development Kit 11 SP3 (src):    python-lxml-2.3.6-0.13.1
SUSE Linux Enterprise Server 11 SP3 for VMware (src):    python-lxml-2.3.6-0.13.1
SUSE Linux Enterprise Server 11 SP3 (src):    python-lxml-2.3.6-0.13.1
SUSE Linux Enterprise Desktop 11 SP3 (src):    python-lxml-2.3.6-0.13.1
Comment 19 Marcus Meissner 2014-11-07 12:32:56 UTC 
12.3 and 13.1 was not done yet... thomas?
Comment 21 Johannes Segitz 2014-11-13 12:20:05 UTC 
openSUSE updates are in comment#3, so we're done here