From 7e71021a606ae0da34db5c1d882dfd971a82b3b8 Mon Sep 17 00:00:00 2001 From: Fabrice Fontaine Date: Sat, 23 Jul 2022 23:37:46 +0200 Subject: [PATCH] package/python-lxml: security bump to version 4.9.1 Fix CVE-2022-2309: NULL Pointer Dereference allows attackers to cause a denial of service (or application crash). This only applies when lxml is used together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not affected. It allows triggering crashes through forged input data, given a vulnerable code sequence in the application. The vulnerability is caused by the iterwalk function (also used by the canonicalize function). Such code shouldn't be in wide-spread use, given that parsing + iterwalk would usually be replaced with the more efficient iterparse function. However, an XML converter that serialises to C14N would also be vulnerable, for example, and there are legitimate use cases for this code sequence. If untrusted input is received (also remotely) and processed via iterwalk function, a crash can be triggered. https://github.com/lxml/lxml/blob/lxml-4.9.1/CHANGES.txt Signed-off-by: Fabrice Fontaine Signed-off-by: Arnout Vandecappelle (Essensium/Mind) (cherry picked from commit ff3b5ca2c11bae44a5410da6f8630fff1971c063) Signed-off-by: Peter Korsgaard --- package/python-lxml/python-lxml.hash | 2 +- package/python-lxml/python-lxml.mk | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/package/python-lxml/python-lxml.hash b/package/python-lxml/python-lxml.hash index 3600d7759a..cd1943b0b4 100644 --- a/package/python-lxml/python-lxml.hash +++ b/package/python-lxml/python-lxml.hash @@ -1,5 +1,5 @@ # Locally computed -sha256 f63f62fc60e6228a4ca9abae28228f35e1bd3ce675013d1dfb828688d50c6e23 lxml-4.8.0.tar.gz +sha256 fe749b052bb7233fe5d072fcb549221a8cb1a16725c47c37e42b0b9cb3ff2c3f lxml-4.9.1.tar.gz sha256 41d49dd406aa0e1548a6d5f21a30d6bf638b3cd96eb7289dd348d83ed2e40392 LICENSES.txt sha256 69edb445c1335a8312d4c09271847e9956d84f0d9f724d125340cc3fad767b2a doc/licenses/BSD.txt sha256 0497ae8138811ef4466ede653bab7a59feb3d3c14f9ed50fc33a00aeb5bec32e doc/licenses/elementtree.txt diff --git a/package/python-lxml/python-lxml.mk b/package/python-lxml/python-lxml.mk index 90935a7ee1..050495c3f3 100644 --- a/package/python-lxml/python-lxml.mk +++ b/package/python-lxml/python-lxml.mk @@ -4,8 +4,8 @@ # ################################################################################ -PYTHON_LXML_VERSION = 4.8.0 -PYTHON_LXML_SITE = https://files.pythonhosted.org/packages/3b/94/e2b1b3bad91d15526c7e38918795883cee18b93f6785ea8ecf13f8ffa01e +PYTHON_LXML_VERSION = 4.9.1 +PYTHON_LXML_SITE = https://files.pythonhosted.org/packages/70/bb/7a2c7b4f8f434aa1ee801704bf08f1e53d7b5feba3d5313ab17003477808 PYTHON_LXML_SOURCE = lxml-$(PYTHON_LXML_VERSION).tar.gz # Not including the GPL, because it is used only for the test scripts.