Notification time stamped 2023-04-30 11:02:15 UTC
From 0bc4066bad9d08a4742ec537dc2df262990308ff Mon Sep 17 00:00:00 2001 From: Mamoru TASAKA mtasaka@fedoraproject.org Date: Apr 30 2023 10:59:16 +0000 Subject: Bacckport upstream patch for CVE-2020-26298 (bug 1915370)
---
diff --git a/redcarpet-3.3.2-CVE-2020-26298.patch b/redcarpet-3.3.2-CVE-2020-26298.patch new file mode 100644 index 0000000..a497676 --- /dev/null +++ b/redcarpet-3.3.2-CVE-2020-26298.patch @@ -0,0 +1,56 @@ +From a699c82292b17c8e6a62e1914d5eccc252272793 Mon Sep 17 00:00:00 2001 +From: Robin Dupret robin.dupret@hey.com +Date: Tue, 15 Dec 2020 20:57:32 +0100 +Subject: [PATCH] Fix a security issue using `:quote` with `:escape_html` + +Reported by @johan-smits. +--- + CHANGELOG.md | 7 +++++++ + ext/redcarpet/html.c | 9 ++++++++- + lib/redcarpet.rb | 2 +- + redcarpet.gemspec | 4 ++-- + test/markdown_test.rb | 10 ++++++++++ + 5 files changed, 28 insertions(+), 4 deletions(-) + +diff --git a/ext/redcarpet/html.c b/ext/redcarpet/html.c +index 805ddd8e..785f780f 100644 +--- a/ext/redcarpet/html.c ++++ b/ext/redcarpet/html.c +@@ -255,8 +255,15 @@ rndr_quote(struct buf *ob, const struct buf *text, void *opaque) + if (!text || !text->size) + return 0; + ++ struct html_renderopt *options = opaque; ++ + BUFPUTSL(ob, "<q>"); +- bufput(ob, text->data, text->size); ++ ++ if (options->flags & HTML_ESCAPE) ++ escape_html(ob, text->data, text->size); ++ else ++ bufput(ob, text->data, text->size); ++ + BUFPUTSL(ob, "</q>"); + + return 1; +diff --git a/test/markdown_test.rb b/test/markdown_test.rb +index 4347be9b..68de1255 100644 +--- a/test/markdown_test.rb ++++ b/test/markdown_test.rb +@@ -220,6 +220,16 @@ def test_quote_flag_works + assert output.include? '<q>quote</q>' + end + ++ def test_quote_flag_honors_escape_html ++ text = 'We are not "<svg/onload=pwned>"' ++ ++ output_enabled = render(text, with: [:quote, :escape_html]) ++ output_disabled = render(text, with: [:quote]) ++ ++ assert_equal "<p>We are not <q><svg/onload=pwned></q></p>\n", output_enabled ++ assert_equal "<p>We are not <q><svg/onload=pwned></q></p>\n", output_disabled ++ end ++ + def test_that_fenced_flag_works + text = <<fenced + This is a simple test diff --git a/rubygem-redcarpet.spec b/rubygem-redcarpet.spec index 8b4ab30..fcfa04c 100644 --- a/rubygem-redcarpet.spec +++ b/rubygem-redcarpet.spec @@ -2,13 +2,21 @@
Name: rubygem-%{gem_name} Version: 3.3.2 -Release: 25%{?dist} +Release: 26%{?dist}
Summary: A fast, safe and extensible Markdown to (X)HTML parser # https://github.com/vmg/redcarpet/issues/502 License: MIT and ISC URL: http://github.com/vmg/redcarpet Source0: https://rubygems.org/gems/%%7Bgem_name%7D-%%7Bversion%7D.gem +# https://github.com/advisories/GHSA-q3wr-qw3g-3p4h +# https://github.com/vmg/redcarpet/commit/a699c82292b17c8e6a62e1914d5eccc25227... +# https://nvd.nist.gov/vuln/detail/CVE-2020-26298 +# Fix a security issue using :quote with :escape_html +# Fixed in 3.5.1 +# A bit modified for 3.3.2 +# Note that 14942b4f5ef8dbaeeff8d9212f098391d7c1fbdc does chomp, reverting this +Patch0: %{gem_name}-3.3.2-CVE-2020-26298.patch
BuildRequires: gcc BuildRequires: ruby(release) @@ -29,6 +37,7 @@ Documentation for %{name}.
%prep %setup -q -n %{gem_name}-%{version} +%patch -P0 -p1
%build gem build ../%{gem_name}-%{version}.gemspec @@ -87,6 +96,9 @@ popd
%changelog +* Sun Apr 30 2023 Mamoru TASAKA mtasaka@fedoraproject.org - 3.3.2-26 +- Bacckport upstream patch for CVE-2020-26298 (bug 1915370) + * Fri Jan 20 2023 Fedora Release Engineering releng@fedoraproject.org - 3.3.2-25 - Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
https://src.fedoraproject.org/rpms/rubygem-redcarpet/c/0bc4066bad9d08a4742ec...
scm-commits@lists.fedoraproject.org