Ubuntu
lxml package

python-lxml vulnerable to CVE-2014-3146

Bug #1319603 reported by Ryan Scarbery on 2014-05-15

256

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	lxml (Ubuntu)	Fix Released	Undecided	Unassigned

Bug Description

Description: Ubuntu 12.04.4 LTS
Release: 12.04

python-lxml:
  Installed: 2.3.2-1
  Candidate: 2.3.2-1
  Version table:
*** 2.3.2-1 0
        500 http://archive.ubuntu.com/ubuntu/ precise/main amd64 Packages
        100 /var/lib/dpkg/status

lxml.html.clean_html fails to appropriately escape javascript in the presence of escaped control characters.

Example PoC:
http://seclists.org/fulldisclosure/2014/Apr/210

This is patched in lxml-3.3.5:
https://github.com/lxml/lxml/commit/e86b294f1f81b899a59925123560ff924a72f1cc

CVE References

2014-3146

Seth Arnold (seth-arnold) on 2014-05-15

information type:

Private Security → Public Security

Ryan Scarbery (ryan-scarbery) on 2014-05-22

Changed in lxml (Ubuntu):
status:	New → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntulxml package