On Thursday, February 27, 2020 8:11:32 AM EST Salvatore Bonaccorso wrote:
> Hi Scott,
>
> On Thu, Feb 27, 2020 at 01:41:44PM +0100, Salvatore Bonaccorso wrote:
> > Hi,
> >
> > On Thu, Feb 27, 2020 at 01:18:55PM +0100, Salvatore Bonaccorso wrote:
> > > I think though we mgiht need to revisit the assessment that older
> > > versions are not affected. Look at the this quick and dirty test
> >
> > > deduced from the testsuite:
> > So I think versions before are as well vulnerable but a fix will
> > become not so easy. First back in b07814e0753c ("Extract all html5lib
> > things into a shim module") in v3.0.0 did split some code from
> > bleach.sanitizer to bleach.html5lib_shim, and before in 67afdf8ae7d3
> > ("Prevent HTMLTokenizer from unescaping entities") in v2.1 was quite
> > refactored.
> >
> > Now I'm not entirely sure how we should fix that for stretch.
>
> Additional point, in earlier version the package depended on html5lib,
> then the code was vedored out to bleach itself, and then further
> modified as above. So while it is true one can argue the affected code
> is not in bleach, the bleach.clean still does not properly sanitize
> leading to the issue.
>
> It is possibly to hard to actually fix the issue for stretch (and for
> LTS interest as well in jessie)?I don't think so. I think the lowest risk approach, other than leaving it as is, would be to backport 3.1.1 and use the vendored html5lib. I gave that a quick try and it doesn't work out of the box. If that is something the security team would consider, please let me know and I'll spend some time investigating if I can make that work on stretch. Scott K
signature.asc
Description: This is a digitally signed message part.
