Debian Bug report logs -
#955388
src:python-bleach: Regular expression denial of service (CVE-2020-6817)
Reported by: Scott Kitterman <scott@kitterman.com>
Date: Mon, 30 Mar 2020 23:09:02 UTC
Severity: important
Tags: security
Found in versions python-bleach/3.1.3-1, python-bleach/3.1.2-0+deb10u1, python-bleach/3.1.0-1
Fixed in version python-bleach/3.1.4-1
Done: Scott Kitterman <scott@kitterman.com>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>:
Bug#955388; Package src:python-bleach.
(Mon, 30 Mar 2020 23:09:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Scott Kitterman <scott@kitterman.com>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>.
(Mon, 30 Mar 2020 23:09:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: src:python-bleach
Version: 3.1.2-0+deb10u1
Severity: important
Tags: security
Once again with a python-bleach security issue...
https://github.com/mozilla/bleach/security/advisories/GHSA-vqhp-cxgc-6wmm
Title
regular expression denial-of-service (ReDoS) in BleachSanitizerFilter.sanitize_css gauntlet regular expression
Impact
bleach.clean behavior parsing style attributes could result in a regular expression denial of service (ReDoS).
Calls to bleach.clean with an allowed tag with an allowed style attribute are vulnerable to ReDoS. For example, bleach.clean(..., attributes={'a': ['style']}).
Fixed In
3.1.4
Workarounds
do not whitelist the style attribute in bleach.clean calls
limit input string length
References
https://bugzilla.mozilla.org/show_bug.cgi?id=1623633
https://www.regular-expressions.info/redos.html
https://blog.r2c.dev/posts/finding-python-redos-bugs-at-scale-using-dlint-and-r2c/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6817
Message sent on
to Scott Kitterman <scott@kitterman.com>:
Bug#955388.
(Mon, 30 Mar 2020 23:57:04 GMT) (full text, mbox, link).
Message #8 received at 955388-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #955388 in python-bleach reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/python-team/modules/python-bleach/-/commit/70d1901f22618e617107e8238706c1bc5bc7cc00
------------------------------------------------------------------------
New upstream security release (CVE-2020-6817) (Closes: #955388)
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/955388
Added tag(s) pending.
Request was from Scott Kitterman <noreply@salsa.debian.org>
to 955388-submitter@bugs.debian.org.
(Mon, 30 Mar 2020 23:57:04 GMT) (full text, mbox, link).
Reply sent
to Scott Kitterman <scott@kitterman.com>:
You have taken responsibility.
(Tue, 31 Mar 2020 00:09:04 GMT) (full text, mbox, link).
Notification sent
to Scott Kitterman <scott@kitterman.com>:
Bug acknowledged by developer.
(Tue, 31 Mar 2020 00:09:04 GMT) (full text, mbox, link).
Message #15 received at 955388-close@bugs.debian.org (full text, mbox, reply):
Source: python-bleach
Source-Version: 3.1.4-1
Done: Scott Kitterman <scott@kitterman.com>
We believe that the bug you reported is fixed in the latest version of
python-bleach, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 955388@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Scott Kitterman <scott@kitterman.com> (supplier of updated python-bleach package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 30 Mar 2020 19:48:37 -0400
Source: python-bleach
Architecture: source
Version: 3.1.4-1
Distribution: unstable
Urgency: high
Maintainer: Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
Changed-By: Scott Kitterman <scott@kitterman.com>
Closes: 955388
Changes:
python-bleach (3.1.4-1) unstable; urgency=high
.
* New upstream security release (CVE-2020-6817) (Closes: #955388)
Checksums-Sha1:
1c255389911c06c7ff4dd8d3d516555f3eadc6f4 2521 python-bleach_3.1.4-1.dsc
81857ab4d095a4af02ecb9eca8e9889b93cd0b98 161807 python-bleach_3.1.4.orig.tar.gz
9908107b69bba188f403e9a7b56afebfe42e29e3 5260 python-bleach_3.1.4-1.debian.tar.xz
d2d429f7ec45a324e8b8a5c6011153de1e29c848 6225 python-bleach_3.1.4-1_source.buildinfo
Checksums-Sha256:
7b19559e0dfac3070b4b20d20b142400d5863217dd84a405489f214fea56a1d5 2521 python-bleach_3.1.4-1.dsc
436cbe96fe181355607523286b62b4fa836018b524aa815983639190bdd2883b 161807 python-bleach_3.1.4.orig.tar.gz
33f678b95ad9c88f47a2dbfe347b1befea64146ab4a6aa5f3bc268323da38075 5260 python-bleach_3.1.4-1.debian.tar.xz
c8ff1c6fd45a7af810e67a0f4e20dbe7637fef7d9eeebbf5d11e0bd014a382d7 6225 python-bleach_3.1.4-1_source.buildinfo
Files:
cc69aaf3d43046b86e59acf1a3674835 2521 python optional python-bleach_3.1.4-1.dsc
6889c40c41c625053bd49c2fb240a42b 161807 python optional python-bleach_3.1.4.orig.tar.gz
e0bef5fa2f71b3fd5fd97466dc894c8b 5260 python optional python-bleach_3.1.4-1.debian.tar.xz
59c07e6fe13872bf06b3145dc3af537c 6225 python optional python-bleach_3.1.4-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE53Kb/76FQA/u7iOxeNfe+5rVmvEFAl6CheQACgkQeNfe+5rV
mvHWVRAApHFRszTZQt5f2+YKYUE7FQdPuVYis6tADEkog5w9TMKanIcXbsgtu7YB
1Jv2jMrDU77qijJV4Nsfps5bdtAjXfsp0vFUOQ38XMUeH9XLNaJnbtteCB9K1cBU
OdjUBkLRTtnwCxCnSCRfU9MF5UBO2Lm9t8NfzXQ2nP8M3iXpLWsbQSYXqcSCcJEp
9/K6e1+AbbwQqx4Shcx5/SFz3L7GCpMFEz0xAdYivD6D/gYJBH3erpSne5NX8h8m
7Wb413gi9GIGpeYido3ncQTZsmG9aHununm2RGCbLs6HFQRY3ZGLMgnR6Kxw4IV1
CEvUmeqgBn7LUi5M+AceYHzm5V8BOGglSps/BLbqCp82qYodKuqpjJA134eaFFN2
tnsEbb48NN0zlT9/EeuCAAMmyf0UEqal2NLh7N1MK7PSpTXB3PKFZ+QfYSz7CJAb
n3sCXunWWXRHCVqwN6/VbsmUtuw1xiT394V9XS7klJPJn3b4lp+rE1O/X8YVDqLH
k8T+q0MYjIANW8yTnxJ5YU5buNslWwGLK+0YATPPrubj1Y5fH+HS1NAYMO44l3Xj
fiKdYWqTjbBJnKf2VI4g1n5zcX9i7g/R0EqHAzxA7wNc5DQIvNTzIfgG9SIlVv1E
m+52DRKjOh4EwV7rgR4YZWnfdLZFmJ9ysvkVhUpAmJDct4YCRR4=
=cjRI
-----END PGP SIGNATURE-----
Marked as found in versions python-bleach/3.1.3-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 31 Mar 2020 03:27:03 GMT) (full text, mbox, link).
Marked as found in versions python-bleach/3.1.0-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 31 Mar 2020 03:27:03 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Tue Mar 31 08:34:44 2020;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon