CVE request: python-lxml clean_html() input sanitization flaw

[Martin Prpic <mprpic () redhat com>]

Hi, can a CVE be assigned to the following issue?

The lxml.html.clean module cleans up HTML by removing embedded or script content, special tags, CSS style annotations 
and much more. It was found [1] that the clean_html() function, provided by the lxml.html.clean module, did not 
properly clean HTML input if it included non-printed characters (\x01-\x08). A remote attacker could use this flaw to 
serve malicious content to an application using the clean_html() function to process HTML, possibly allowing the 
attacker to inject malicious code into a website generated by this application.

This issue has been reported upstream at [2] and a patch is available at [3].

[1] http://seclists.org/fulldisclosure/2014/Apr/210
[2] https://mailman-mail5.webfaction.com/pipermail/lxml/2014-April/007128.html
[3] https://github.com/lxml/lxml/commit/e86b294f1f81b899a59925123560ff924a72f1cc

Red Hat Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1092613

-- 
Martin Prpič / Red Hat Security Response Team