Bug 1193752 (CVE-2021-43818)

Summary: VUL-0: CVE-2021-43818: python-lxml: HTML Cleaner allows crafted and SVG embedded scripts to pass through
Product: [Novell Products] SUSE Security Incidents Reporter: Gabriele Sonnu <gabriele.sonnu>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: IN_PROGRESS --- QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: cathy.hu, kstreitova, mcepl, meissner, rfrohl, salt-maintainers, smash_bz, stoyan.manolov, thomas.schraitle, victor.zhestkov
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/317292/
Whiteboard: CVSSv3.1:SUSE:CVE-2021-43818:6.1:(AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Gabriele Sonnu 2021-12-15 09:27:05 UTC 
lxml is a library for processing XML and HTML in the Python language. Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant context should upgrade to lxml 4.6.5 to receive a patch. There are no known workarounds available.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=2032569
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-43818
https://github.com/lxml/lxml/commit/a3eacbc0dcf1de1c822ec29fb7d090a4b1712a9c#diff-59130575b4fb2932c957db2922977d7d89afb0b2085357db1a14615a2fcad776
https://github.com/lxml/lxml/commit/12fa9669007180a7bb87d990c375cf91ca5b664a
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43818
https://github.com/lxml/lxml/security/advisories/GHSA-55x5-fj6c-h6m8
https://github.com/lxml/lxml/commit/f2330237440df7e8f39c3ad1b1aa8852be3b27c0
Comment 1 Gabriele Sonnu 2021-12-15 09:28:14 UTC 
Affected packages:
 - SUSE:Carwos:1/python-lxml                                  4.4.2
 - SUSE:SLE-11-SP3:Update/python-lxml                         2.3.6
 - SUSE:SLE-11:Update/python-lxml                             2.1.2
 - SUSE:SLE-12-SP2:Update/python-lxml                         3.6.1
 - SUSE:SLE-12-SP4:Update:Products:Cloud9:Update/python-lxml  4.2.4
 - SUSE:SLE-15-SP2:Update/python-lxml                         4.4.2
 - SUSE:SLE-15:Update/python-lxml                             4.0.0
 - openSUSE:Factory/python-lxml                               4.6.4


Upstream patches:
https://github.com/lxml/lxml/commit/f2330237440df7e8f39c3ad1b1aa8852be3b27c0
https://github.com/lxml/lxml/commit/a3eacbc0dcf1de1c822ec29fb7d090a4b1712a9c#diff-59130575b4fb2932c957db2922977d7d89afb0b2085357db1a14615a2fcad776
https://github.com/lxml/lxml/commit/12fa9669007180a7bb87d990c375cf91ca5b664a
Comment 2 OBSbugzilla Bot 2022-01-04 16:50:03 UTC 
This is an autogenerated message for OBS integration:
This bug (1193752) was mentioned in
https://build.opensuse.org/request/show/943802 Factory / python-lxml
Comment 4 Thomas Schraitle 2022-02-09 14:47:33 UTC 
I've discussed it with the maintenance team and updated the package for SUSE:SLE-15-SP2:Update to 4.7.1 a few days ago. It was accepted:

  https://build.suse.de/request/show/263873

CVE-2021-43818 was fixed in version 4.6.5 which is included in the above version. :)

I'm not entirely sure which channels get triggered by this. Also SUSE:SLE-11:Update/python-lxml and SUSE:SLE-11-SP3:Update/python-lxml looks quite old. The general support has already ended since 31 Mar 2019.
Comment 8 Thomas Schraitle 2022-02-14 11:31:18 UTC 
Thanks Gabriele! No problem. :)

I've tried to update SUSE:SLE-12-SP4:Update:Products:Cloud9:Update/python-lxml to 4.7.1 but currently struggleing with the tests. I get this message:

-----
[    2s] Building lxml version 4.7.1.
[    2s] Building with Cython 0.28.4.
[    2s] Building against libxml2 2.9.4 and libxslt 1.1.28
...
[   54s] + /usr/bin/python3 setup.py build '--executable=/usr/bin/python3 -s' --with-cython
[   54s] This lxml version requires Python 2.7, 3.5 or later.
-----

As far as I can see, there was also no Python3 package for the above repo. So I've tried it to explicitly add a line with "%define skip_python3 1", but without success.

I could remove the tests, but it would be nice to keep consistent SPEC files if possible.

Any hints?
Comment 11 Swamp Workflow Management 2022-03-10 20:20:23 UTC 
openSUSE-SU-2022:0803-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1118088,1179534,1184177,1193752
CVE References: CVE-2018-19787,CVE-2020-27783,CVE-2021-28957,CVE-2021-43818
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    python-lxml-4.7.1-3.7.1
openSUSE Leap 15.3 (src):    python-lxml-4.7.1-3.7.1
Comment 12 Swamp Workflow Management 2022-03-10 20:22:07 UTC 
SUSE-SU-2022:0803-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1118088,1179534,1184177,1193752
CVE References: CVE-2018-19787,CVE-2020-27783,CVE-2021-28957,CVE-2021-43818
JIRA References: 
Sources used:
SUSE Manager Server 4.1 (src):    python-lxml-4.7.1-3.7.1
SUSE Manager Retail Branch Server 4.1 (src):    python-lxml-4.7.1-3.7.1
SUSE Manager Proxy 4.1 (src):    python-lxml-4.7.1-3.7.1
SUSE Linux Enterprise Server for SAP 15-SP2 (src):    python-lxml-4.7.1-3.7.1
SUSE Linux Enterprise Server 15-SP2-LTSS (src):    python-lxml-4.7.1-3.7.1
SUSE Linux Enterprise Server 15-SP2-BCL (src):    python-lxml-4.7.1-3.7.1
SUSE Linux Enterprise Realtime Extension 15-SP2 (src):    python-lxml-4.7.1-3.7.1
SUSE Linux Enterprise Module for Python2 15-SP3 (src):    python-lxml-4.7.1-3.7.1
SUSE Linux Enterprise Module for Basesystem 15-SP4 (src):    python-lxml-4.7.1-3.7.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    python-lxml-4.7.1-3.7.1
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src):    python-lxml-4.7.1-3.7.1
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src):    python-lxml-4.7.1-3.7.1
SUSE Enterprise Storage 7 (src):    python-lxml-4.7.1-3.7.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Swamp Workflow Management 2022-03-17 20:17:36 UTC 
SUSE-SU-2022:0895-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1118088,1179534,1184177,1193752
CVE References: CVE-2018-19787,CVE-2020-27783,CVE-2021-28957,CVE-2021-43818
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    python-lxml-3.6.1-8.5.1
SUSE OpenStack Cloud 8 (src):    python-lxml-3.6.1-8.5.1
SUSE Linux Enterprise Server 12-SP5 (src):    python-lxml-3.6.1-8.5.1
HPE Helion Openstack 8 (src):    python-lxml-3.6.1-8.5.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 16 Victor Zhestkov 2022-04-01 07:43:17 UTC 
SR with the update for the Salt Bundle was created: https://build.opensuse.org/request/show/966354
Comment 18 Swamp Workflow Management 2022-05-18 19:17:03 UTC 
SUSE-SU-2022:1729-1: An update that solves 17 vulnerabilities, contains two features and has one errata is now available.

Category: security (important)
Bug References: 1118088,1179534,1184177,1186380,1189390,1189794,1192070,1192073,1192075,1193597,1193688,1193752,1194521,1194551,1194552,1194952,1194954,1199138
CVE References: CVE-2018-19787,CVE-2020-27783,CVE-2021-28957,CVE-2021-38155,CVE-2021-40085,CVE-2021-41182,CVE-2021-41183,CVE-2021-41184,CVE-2021-43813,CVE-2021-43818,CVE-2021-44716,CVE-2022-22815,CVE-2022-22816,CVE-2022-22817,CVE-2022-23451,CVE-2022-23452,CVE-2022-29970
JIRA References: SOC-11620,SOC-11621
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    grafana-6.7.4-3.26.1, openstack-barbican-7.0.1~dev24-3.14.1, openstack-cinder-13.0.10~dev24-3.34.2, openstack-heat-gbp-14.0.1~dev4-3.9.1, openstack-horizon-plugin-gbp-ui-14.0.1~dev3-3.9.1, openstack-ironic-11.1.5~dev18-3.28.2, openstack-keystone-14.2.1~dev9-3.28.2, openstack-neutron-13.0.8~dev206-3.40.1, openstack-neutron-gbp-14.0.1~dev33-3.31.1, python-Pillow-5.2.0-3.17.1, python-XStatic-jquery-ui-1.13.0.1-4.3.1, python-lxml-4.2.4-3.3.1, release-notes-suse-openstack-cloud-9.20220413-3.30.1, rubygem-sinatra-1.4.6-4.3.1
SUSE OpenStack Cloud 9 (src):    ardana-barbican-9.0+git.1644879908.8a641c1-3.13.1, grafana-6.7.4-3.26.1, openstack-barbican-7.0.1~dev24-3.14.1, openstack-cinder-13.0.10~dev24-3.34.2, openstack-heat-gbp-14.0.1~dev4-3.9.1, openstack-horizon-plugin-gbp-ui-14.0.1~dev3-3.9.1, openstack-ironic-11.1.5~dev18-3.28.2, openstack-keystone-14.2.1~dev9-3.28.2, openstack-neutron-13.0.8~dev206-3.40.1, openstack-neutron-gbp-14.0.1~dev33-3.31.1, python-Pillow-5.2.0-3.17.1, python-XStatic-jquery-ui-1.13.0.1-4.3.1, python-lxml-4.2.4-3.3.1, release-notes-suse-openstack-cloud-9.20220413-3.30.1, venv-openstack-barbican-7.0.1~dev24-3.35.2, venv-openstack-cinder-13.0.10~dev24-3.38.1, venv-openstack-designate-7.0.2~dev2-3.35.1, venv-openstack-glance-17.0.1~dev30-3.33.1, venv-openstack-heat-11.0.4~dev4-3.35.1, venv-openstack-horizon-14.1.1~dev11-4.39.1, venv-openstack-ironic-11.1.5~dev18-4.33.1, venv-openstack-keystone-14.2.1~dev9-3.36.1, venv-openstack-magnum-7.2.1~dev1-4.35.1, venv-openstack-manila-7.4.2~dev60-3.41.1, venv-openstack-monasca-2.7.1~dev10-3.37.1, venv-openstack-monasca-ceilometer-1.8.2~dev3-3.35.1, venv-openstack-neutron-13.0.8~dev206-6.39.1, venv-openstack-nova-18.3.1~dev91-3.39.1, venv-openstack-octavia-3.2.3~dev7-4.35.1, venv-openstack-sahara-9.0.2~dev15-3.35.1, venv-openstack-swift-2.19.2~dev48-2.30.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.