Hello community, here is the log from the commit of package python-feedparser for openSUSE:11.4 checked in at Thu Apr 7 17:01:19 CEST 2011. -------- --- old-versions/11.4/all/python-feedparser/python-feedparser.changes 2009-09-03 15:56:52.000000000 +0200 +++ 11.4/python-feedparser/python-feedparser.changes 2011-03-17 02:35:42.000000000 +0100 @@ -1,0 +2,12 @@ +Thu Mar 17 01:23:51 UTC 2011 - jfunk@funktronics.ca + +- Fix issue 91: invalid text in XML declaration causes sanitizer to crash + (CVE-2011-1156 bnc#680074) +- Fix issue 254: sanitization can be bypassed by malformed XML comments + (CVE-2011-1157 bnc#680074) +- Fix issue 255: sanitizer doesn't strip unsafe URI schemes (CVE-2011-1158 + bnc#680074) +- Fix issue 195: XSS vulnerability in feedparser (bnc#680074) + + +------------------------------------------------------------------- Package does not exist at destination yet. Using Fallback old-versions/11.4/all/python-feedparser Destination is old-versions/11.4/UPDATES/all/python-feedparser calling whatdependson for 11.4-i586 New: ---- feedparser-issue195.patch feedparser-issue254-CVE-2011-1157.patch feedparser-issue255-CVE-2011-1158.patch feedparser-issue91-CVE-2011-1156.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python-feedparser.spec ++++++ --- /var/tmp/diff_new_pack.5NeZBN/_old 2011-04-07 17:01:05.000000000 +0200 +++ /var/tmp/diff_new_pack.5NeZBN/_new 2011-04-07 17:01:05.000000000 +0200 @@ -1,7 +1,7 @@ # -# spec file for package python-feedparser (Version 4.1) +# spec file for package python-feedparser # -# Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -20,12 +20,16 @@ Name: python-feedparser Version: 4.1 -Release: 1 +Release: 9.<RELEASE10> Summary: Universal Feed Parser Module for Python Url: http://sourceforge.net/projects/feedparser/ License: BSD Group: Development/Libraries/Python Source: %{modname}-%{version}.tar.bz2 +Patch0: feedparser-issue195.patch +Patch1: feedparser-issue255-CVE-2011-1158.patch +Patch2: feedparser-issue254-CVE-2011-1157.patch +Patch3: feedparser-issue91-CVE-2011-1156.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %{py_requires} BuildRequires: python-devel python-setuptools @@ -44,6 +48,10 @@ %prep %setup -q -n %{modname}-%{version} +%patch0 -p1 +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 chmod 0644 README %build ++++++ feedparser-issue195.patch ++++++ Index: feedparser-4.1/tests/wellformed/sanitize/item_content_encoded_script_nested_cdata.xml =================================================================== --- /dev/null +++ feedparser-4.1/tests/wellformed/sanitize/item_content_encoded_script_nested_cdata.xml @@ -0,0 +1,11 @@ +<!-- +Description: ensure nested CDATA sections are sanitized properly +Expect: not bozo and entries[0]['content'][0]['value'] == u'<![CDATA[]]>' +--> +<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" version="2.0"> +<channel> + <item> + content:encoded<![CDATA[<![CDATA[<script></script>]]>]]></content:encoded> + </item> +</channel> +</rss> Index: feedparser-4.1/tests/illformed/sanitize/item_content_encoded_script_nested_cdata.xml =================================================================== --- /dev/null +++ feedparser-4.1/tests/illformed/sanitize/item_content_encoded_script_nested_cdata.xml @@ -0,0 +1,11 @@ +<!-- +Description: ensure nested CDATA sections are sanitized properly +Expect: bozo and entries[0]['content'][0]['value'] == u'<![CDATA[]]>' +--> +<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" version="2.0"> +<channel> + <item> + content:encoded<![CDATA[<![CDATA[<script></script>]]>]]></content:encoded> + </item> +</channel> +</rss Index: feedparser-4.1/feedparser.py =================================================================== --- feedparser-4.1.orig/feedparser.py +++ feedparser-4.1/feedparser.py @@ -1649,6 +1649,7 @@ class _HTMLSanitizer(_BaseHTMLProcessor) def _sanitizeHTML(htmlSource, encoding): p = _HTMLSanitizer(encoding) + htmlSource = htmlSource.replace('<![CDATA[', '<![CDATA[') p.feed(htmlSource) data = p.output() if TIDY_MARKUP: ++++++ feedparser-issue254-CVE-2011-1157.patch ++++++ Index: feedparser-4.1/tests/wellformed/sanitize/xml_malicious_comment.xml =================================================================== --- /dev/null +++ feedparser-4.1/tests/wellformed/sanitize/xml_malicious_comment.xml @@ -0,0 +1,7 @@ +<!-- +Description: malicious comment +Expect: not bozo and feed['title'] == u'safe' +--> +<feed xmlns="http://www.w3.org/2005/Atom"> + <title type="html">sa<!-- -- nonwhitespace >fe<script>alert(1);</script></title> +</feed> Index: feedparser-4.1/tests/wellformed/sanitize/xml_unclosed_comment.xml =================================================================== --- /dev/null +++ feedparser-4.1/tests/wellformed/sanitize/xml_unclosed_comment.xml @@ -0,0 +1,7 @@ +<!-- +Description: unclosed comment +Expect: not bozo and feed['title'] == u'safe' +--> +<feed xmlns="http://www.w3.org/2005/Atom"> + <title type="html">safe<!--</title> +</feed> Index: feedparser-4.1/feedparser.py =================================================================== --- feedparser-4.1.orig/feedparser.py +++ feedparser-4.1/feedparser.py @@ -1657,6 +1657,19 @@ class _HTMLSanitizer(_BaseHTMLProcessor) if not self.unacceptablestack: _BaseHTMLProcessor.handle_data(self, text) + def parse_comment(self, i, report=1): + ret = _BaseHTMLProcessor.parse_comment(self, i, report) + if ret >= 0: + return ret + # if ret == -1, this may be a malicious attempt to circumvent + # sanitization, or a page-destroying unclosed comment + match = re.compile(r'--[^>]*>').search(self.rawdata, i+4) + if match: + return match.end() + # unclosed comment; deliberately fail to handle_data() + return len(self.rawdata) + + def _sanitizeHTML(htmlSource, encoding): p = _HTMLSanitizer(encoding) htmlSource = htmlSource.replace('<![CDATA[', '<![CDATA[') ++++++ feedparser-issue255-CVE-2011-1158.patch ++++++ Index: feedparser-4.1/tests/wellformed/sanitize/feed_title_unacceptable_uri.xml =================================================================== --- /dev/null +++ feedparser-4.1/tests/wellformed/sanitize/feed_title_unacceptable_uri.xml @@ -0,0 +1,7 @@ +<!-- +Description: anchor href contains unacceptable uri scheme +Expect: not bozo and feed['title'] == u'<a href="">safe</a>' +--> +<feed xmlns="http://www.w3.org/2005/Atom"> + <title type="html"><a href="javascript:alert(1)">safe</a></title> +</feed> Index: feedparser-4.1/feedparser.py =================================================================== --- feedparser-4.1.orig/feedparser.py +++ feedparser-4.1/feedparser.py @@ -1626,9 +1626,19 @@ class _HTMLSanitizer(_BaseHTMLProcessor) if tag in self.unacceptable_elements_with_end_tag: self.unacceptablestack += 1 return - attrs = self.normalize_attrs(attrs) - attrs = [(key, value) for key, value in attrs if key in self.acceptable_attributes] - _BaseHTMLProcessor.unknown_starttag(self, tag, attrs) + + clean_attrs = [] + for key, value in self.normalize_attrs(attrs): + if key in self.acceptable_attributes: + key=keymap.get(key,key) + # make sure the uri uses an acceptable uri scheme + if key == u'href': + value = _makeSafeAbsoluteURI(value) + clean_attrs.append((key,value)) + elif key=='style': + clean_value = self.sanitize_style(value) + if clean_value: clean_attrs.append((key,clean_value)) + _BaseHTMLProcessor.unknown_starttag(self, tag, clean_attrs) def unknown_endtag(self, tag): if not tag in self.acceptable_elements: ++++++ feedparser-issue91-CVE-2011-1156.patch ++++++ Index: feedparser-4.1/tests/wellformed/sanitize/xml_declaration_unexpected_character.xml =================================================================== --- /dev/null +++ feedparser-4.1/tests/wellformed/sanitize/xml_declaration_unexpected_character.xml @@ -0,0 +1,7 @@ +<!-- +Description: xml declaration unexpected character +Expect: not bozo and feed['title'] == u'<!DOCTYPE ~' +--> +<feed xmlns="http://www.w3.org/2005/Atom"> + <title type="html"><!DOCTYPE ~</title> +</feed> Index: feedparser-4.1/feedparser.py =================================================================== --- feedparser-4.1.orig/feedparser.py +++ feedparser-4.1/feedparser.py @@ -1525,6 +1525,14 @@ class _BaseHTMLProcessor(sgmllib.SGMLPar '''Return processed HTML as a single string''' return ''.join([str(p) for p in self.pieces]) + def parse_declaration(self, i): + try: + return sgmllib.SGMLParser.parse_declaration(self, i) + except sgmllib.SGMLParseError: + # escape the doctype declaration and continue parsing + self.handle_data('<') + return i+1 + class _LooseFeedParser(_FeedParserMixin, _BaseHTMLProcessor): def __init__(self, baseuri, baselang, encoding): sgmllib.SGMLParser.__init__(self) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org