SOURCES/CVE-2020-27783.patch

@@ -1,8 +1,30 @@
+From 725268a12dacbb153dacf9d8cc22cfe37ff230ff Mon Sep 17 00:00:00 2001
+From: Lumir Balhar <lbalhar@redhat.com>
+Date: Wed, 6 Jan 2021 10:20:09 +0100
+Subject: [PATCH] CVE-2020-27783
+
+---
+ src/lxml/html/clean.py             | 29 ++++++++++++++++++++---------
+ src/lxml/html/tests/test_clean.py  | 20 ++++++++++++++++++++
+ src/lxml/html/tests/test_clean.txt | 12 ++++++++++--
+ 3 files changed, 50 insertions(+), 11 deletions(-)
+
 diff --git a/src/lxml/html/clean.py b/src/lxml/html/clean.py
-index adc3f45..6f3f7de 100644
+index adc3f45..0492fca 100644
 --- a/src/lxml/html/clean.py
 +++ b/src/lxml/html/clean.py
-@@ -61,12 +61,15 @@ __all__ = ['clean_html', 'clean', 'Cleaner', 'autolink', 'autolink_html',
+@@ -4,8 +4,9 @@ Removes unwanted tags and content.  See the `Cleaner` class for
+ details.
+ """
+ 
+-import re
+ import copy
++import re
++import sys
+ try:
+     from urlparse import urlsplit
+ except ImportError:
+@@ -61,12 +62,16 @@ __all__ = ['clean_html', 'clean', 'Cleaner', 'autolink', 'autolink_html',
  
  # This is an IE-specific construct you can have in a stylesheet to
  # run some Javascript:
@@ -18,11 +40,12 @@ index adc3f45..6f3f7de 100644
 +    r'@\s*import', re.I).sub
 +
 +_looks_like_tag_content = re.compile(
-+    r'</?[a-zA-Z]+|\son[a-zA-Z]+\s*=', re.ASCII).search
++    r'</?[a-zA-Z]+|\son[a-zA-Z]+\s*=',
++    *((re.ASCII,) if sys.version_info[0] >= 3 else ())).search
  
  # All kinds of schemes besides just javascript: that can cause
  # execution:
-@@ -292,8 +295,8 @@ class Cleaner(object):
+@@ -292,8 +297,8 @@ class Cleaner(object):
              if not self.inline_style:
                  for el in _find_styled_elements(doc):
                      old = el.get('style')
@@ -33,7 +56,7 @@ index adc3f45..6f3f7de 100644
                      if self._has_sneaky_javascript(new):
                          # Something tricky is going on...
                          del el.attrib['style']
-@@ -305,9 +308,9 @@ class Cleaner(object):
+@@ -305,9 +310,9 @@ class Cleaner(object):
                          el.drop_tree()
                          continue
                      old = el.text or ''
@@ -45,7 +68,7 @@ index adc3f45..6f3f7de 100644
                      if self._has_sneaky_javascript(new):
                          # Something tricky is going on...
                          el.text = '/* deleted */'
-@@ -509,6 +512,12 @@ class Cleaner(object):
+@@ -509,6 +514,12 @@ class Cleaner(object):
              return True
          if 'expression(' in style:
              return True
@@ -119,3 +142,6 @@ index c78ab4f..c901871 100644
    </head>
    <body>
      <a href="">a link</a>
+-- 
+2.29.2
+

SOURCES/CVE-2021-43818.patch

@@ -1,8 +1,8 @@
 diff --git a/src/lxml/html/clean.py b/src/lxml/html/clean.py
-index 6f3f7de..da5af16 100644
+index 0492fca..5225a5e 100644
 --- a/src/lxml/html/clean.py
 +++ b/src/lxml/html/clean.py
-@@ -73,18 +73,25 @@ _looks_like_tag_content = re.compile(
+@@ -75,18 +75,25 @@ _looks_like_tag_content = re.compile(
  
  # All kinds of schemes besides just javascript: that can cause
  # execution:
@@ -36,7 +36,7 @@ index 6f3f7de..da5af16 100644
  
  # FIXME: check against: http://msdn2.microsoft.com/en-us/library/ms537512.aspx
  _conditional_comment_re = re.compile(
-@@ -512,6 +519,8 @@ class Cleaner(object):
+@@ -514,6 +521,8 @@ class Cleaner(object):
              return True
          if 'expression(' in style:
              return True
@@ -46,16 +46,17 @@ index 6f3f7de..da5af16 100644
              # e.g. '<noscript><style><a title="</noscript><img src=x onerror=alert(1)>">'
              return True
 diff --git a/src/lxml/html/tests/test_clean.py b/src/lxml/html/tests/test_clean.py
-index e40cdad..ad9a598 100644
+index e40cdad..4fab442 100644
 --- a/src/lxml/html/tests/test_clean.py
 +++ b/src/lxml/html/tests/test_clean.py
-@@ -1,3 +1,5 @@
+@@ -1,3 +1,6 @@
 +import base64
 +import gzip
++import io
  import unittest, sys
  from lxml.tests.common_imports import make_doctest
  from lxml.etree import LIBXML_VERSION
-@@ -89,6 +91,69 @@ class CleanerTest(unittest.TestCase):
+@@ -89,6 +92,73 @@ class CleanerTest(unittest.TestCase):
              b'<math><style>/* deleted */</style></math>',
              lxml.html.tostring(clean_html(s)))
  
@@ -82,7 +83,11 @@ index e40cdad..ad9a598 100644
 +    def test_svg_data_links(self):
 +        # Remove SVG images with potentially insecure content.
 +        svg = b'<svg onload="alert(123)" />'
-+        svgz = gzip.compress(svg)
++        gzout = io.BytesIO()
++        f = gzip.GzipFile(fileobj=gzout, mode='wb')
++        f.write(svg)
++        f.close()
++        svgz = gzout.getvalue()
 +        svg_b64 = base64.b64encode(svg).decode('ASCII')
 +        svgz_b64 = base64.b64encode(svgz).decode('ASCII')
 +        urls = [

SOURCES/fix-threading-tests.patch

@@ -1,8 +1,8 @@
 diff --git a/src/lxml/tests/test_threading.py b/src/lxml/tests/test_threading.py
-index 8948c3e..5ede3f8 100644
+index 8948c3ec6..5ede3f805 100644
 --- a/src/lxml/tests/test_threading.py
 +++ b/src/lxml/tests/test_threading.py
-@@ -130,7 +130,7 @@ class ThreadingTestCase(HelperTestCase):
+@@ -130,7 +130,7 @@ def test_thread_xslt_parsing_error_log(self):
      <xsl:template match="tag" />
      <!-- extend time for parsing + transform -->
  ''' + '\n'.join('<xsl:template match="tag%x" />' % i for i in range(200)) + '''
@@ -11,7 +11,7 @@ index 8948c3e..5ede3f8 100644
  </xsl:stylesheet>''')
          self.assertRaises(etree.XSLTParseError,
                            etree.XSLT, style)
-@@ -153,9 +153,10 @@ class ThreadingTestCase(HelperTestCase):
+@@ -153,9 +153,10 @@ def run_thread():
              self.assertTrue(len(log))
              if last_log is not None:
                  self.assertEqual(len(last_log), len(log))

SPECS/python-lxml.spec

@@ -2,7 +2,7 @@
 
 Name:           python-%{modname}
 Version:        4.2.3
-Release:        4%{?dist}
+Release:        6%{?dist}
 Summary:        XML processing library combining libxml2/libxslt with the ElementTree API
 
 License:        BSD
@@ -14,6 +14,8 @@ Source0:        http://lxml.de/files/%{modname}-%{version}.tgz
 # Two upstream commits combined:
 #   Version 4.6.1: https://github.com/lxml/lxml/commit/89e7aad6e7ff9ecd88678ff25f885988b184b26e
 #   Version 4.6.2: https://github.com/lxml/lxml/commit/a105ab8dc262ec6735977c25c13f0bdfcdec72a7
+# + one workaround for Python2, where `re.ASCII` is the default mode
+#   https://github.com/lxml/lxml/commit/4cb57362deb23bca0f70f41ab1efa13390fcdbb1
 Patch0:         CVE-2020-27783.patch
 
 # Fix for CVE-2021-28957: missing input sanitization
@@ -26,10 +28,13 @@ Patch1: CVE-2021-28957.patch
 # Fixed upstream:
 # https://github.com/lxml/lxml/commit/12fa9669007180a7bb87d990c375cf91ca5b664a
 # https://github.com/lxml/lxml/commit/f2330237440df7e8f39c3ad1b1aa8852be3b27c0
+# + the python2 specific fixes for the tests
+# https://github.com/lxml/lxml/commit/a9611ba80bc5196c1dd07a0b1964fcb603695d63
 Patch2:         CVE-2021-43818.patch
 
-# Make test more resilient against changes in latest libxslt releases
+# Fix the threading tests for the latest libxslt
-# Fixed upstream: https://github.com/lxml/lxml/commit/acef361ca80ff9afd828d91c98ea91c92f9d09af
+# Fixed upstream:
+# https://github.com/lxml/lxml/commit/acef361ca80ff9afd828d91c98ea91c92f9d09af
 Patch3:         fix-threading-tests.patch
 
 BuildRequires:  gcc
@@ -45,56 +50,65 @@ home page < or see our bug tracker at case you want to use the current ...
 
 %description %{_description}
 
-%package -n     python3-%{modname}
+%package -n     python2-%{modname}
 Summary:        %{summary}
-BuildRequires:  python3-devel
+BuildRequires:  python2-devel
-BuildRequires:  python3-setuptools
+BuildRequires:  python2-setuptools
-BuildRequires:  python3-Cython
+BuildRequires:  python2-Cython
-Recommends:     python3-cssselect
+Recommends:     python2-cssselect
-Recommends:     python3-html5lib
+Recommends:     python2-html5lib
-Recommends:     python3-beautifulsoup4
+Recommends:     python2-beautifulsoup4
-%{?python_provide:%python_provide python3-%{modname}}
+%{?python_provide:%python_provide python2-%{modname}}
 
-%description -n python3-%{modname} %{_description}
+%description -n python2-%{modname} %{_description}
 
-Python 3 version.
+Python 2 version.
 
 %prep
 %autosetup -n %{modname}-%{version} -p1
 
 %build
 export WITH_CYTHON=true
-%py3_build
+%py2_build
 
 %install
-%py3_install
+%py2_install
 
 %check
 # The tests assume inplace build, so we copy the built library to source-dir.
 # If not done that, Python can either import the tests or the extension modules, but not both.
-cp -a build/lib.%{python3_platform}-%{python3_version}/* src/
+cp -a build/lib.linux-*-%{python2_version}/* src/
 # The options are: verbose, unit, functional
-%{python3} test.py -vuf
+# We need the UTF-8 locale for the tests to work properly on python2
+LANG=C.UTF-8 %{__python2} test.py -vuf
 
-%files -n python3-%{modname}
+%files -n python2-%{modname}
 %license doc/licenses/ZopePublicLicense.txt LICENSES.txt
 %doc README.rst src/lxml/isoschematron/resources/xsl/iso-schematron-xslt1/readme.txt
-%{python3_sitearch}/%{modname}/
+%{python2_sitearch}/%{modname}/
-%{python3_sitearch}/%{modname}-*.egg-info/
+%{python2_sitearch}/%{modname}-*.egg-info/
 
 %changelog
-* Thu Jan 06 2022 Charalampos Stratakis <cstratak@redhat.com> - 4.2.3-4
+* Thu Jan 06 2022 Charalampos Stratakis <cstratak@redhat.com> - 4.2.3-6
 - Security fix for CVE-2021-43818
 Resolves: rhbz#2032569
 
-* Wed Mar 24 2021 Charalampos Stratakis <cstratak@redhat.com> - 4.2.3-3
+* Wed Mar 24 2021 Charalampos Stratakis <cstratak@redhat.com> - 4.2.3-5
 - Security fix for CVE-2021-28957
 Resolves: rhbz#1941534
 
-* Tue Dec 08 2020 Charalampos Stratakis <cstratak@redhat.com> - 4.2.3-2
+* Tue Dec 08 2020 Charalampos Stratakis <cstratak@redhat.com> - 4.2.3-4
 - Security fix for CVE-2020-27783: mXSS due to the use of improper parser
 Resolves: rhbz#1901633
 
+* Thu Apr 25 2019 Tomas Orsava <torsava@redhat.com> - 4.2.3-3
+- Bumping due to problems with modular RPM upgrade path
+- Resolves: rhbz#1695587
+
+* Sun Oct 14 2018 Tomas Orsava <torsava@redhat.com> - 4.2.3-2
+- Conditionalize the python3 subpackage
+- Resolves: rhbz#1638698
+
 * Thu Aug 02 2018 Sebastian Kisela <skisela@redhat.com> - 4.2.3-1
 - New upstream release 4.2.3