Hi, On Sat, Mar 20, 2021 at 08:50:21AM +0100, Salvatore Bonaccorso wrote: > Source: ruby-kramdown > Version: 2.3.0-4 > Severity: grave > Tags: security upstream > Justification: user security hole > Forwarded: https://github.com/gettalong/kramdown/pull/708 > X-Debbugs-Cc: car...@debian.org, Debian Security Team > <t...@security.debian.org> > > Hi, > > The following vulnerability was published for ruby-kramdown. > > CVE-2021-28834[0]: > | Kramdown before 2.3.1 does not restrict Rouge formatters to the > | Rouge::Formatters namespace, and thus arbitrary classes can be > | instantiated. > > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
I just uploaded a fix for bullseye, and prepared the attached update for buster. It passes its own autopkgtest, and I don't see the possibility of any regressions in non-malicious code. Let me know if I can go ahead and upload.
diff --git a/debian/changelog b/debian/changelog
index 7830bf5..0541988 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+ruby-kramdown (1.17.0-1+deb10u2) buster-security; urgency=high
+
+ * Team upload.
+ * Add upstream patch to fix arbitrary code execution vulnerability
+ [CVE-2021-28834] (Closes: #985569)
+
+ -- Antonio Terceiro <terce...@debian.org> Sat, 03 Apr 2021 13:05:12 -0300
+
ruby-kramdown (1.17.0-1+deb10u1) buster-security; urgency=high
* Non-maintainer upload by the Security Team.
diff --git a/debian/patches/0004-Restrict-Rouge-formatters-to-Rouge-Formatters-namesp.patch b/debian/patches/0004-Restrict-Rouge-formatters-to-Rouge-Formatters-namesp.patch
new file mode 100644
index 0000000..5d9780e
--- /dev/null
+++ b/debian/patches/0004-Restrict-Rouge-formatters-to-Rouge-Formatters-namesp.patch
@@ -0,0 +1,56 @@
+From: Stan Hu <sta...@gmail.com>
+Date: Sat, 3 Apr 2021 13:00:47 -0300
+Subject: Restrict Rouge formatters to Rouge::Formatters namespace
+
+ff0218a added support for specifying custom Rouge formatters with the
+constraint that the formatter be in theRouge::Formatters namespace, but
+it did not actually enforce this constraint. For example, this is valid:
+
+```ruby
+Rouge::Formatters.const_get('CSV')
+=> CSV
+```
+
+Adding the `false` parameter to `const_get` prevents this:
+
+```ruby
+Rouge::Formatters.const_get('CSV', false)
+NameError: uninitialized constant Rouge::Formatters::CSV
+```
+
+This is a backport of the original patch at
+https://github.com/gettalong/kramdown/pull/708, backported by Antonio
+Terceiro to version 1.17.0.
+
+Signed-off-by: Antonio Terceiro <terce...@debian.org>
+---
+ lib/kramdown/converter/syntax_highlighter/rouge.rb | 2 +-
+ test/test_files.rb | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/lib/kramdown/converter/syntax_highlighter/rouge.rb b/lib/kramdown/converter/syntax_highlighter/rouge.rb
+index e1e5a0d..a6894d6 100644
+--- a/lib/kramdown/converter/syntax_highlighter/rouge.rb
++++ b/lib/kramdown/converter/syntax_highlighter/rouge.rb
+@@ -59,7 +59,7 @@ module Kramdown::Converter::SyntaxHighlighter
+ when Class
+ formatter
+ when /\A[[:upper:]][[:alnum:]_]*\z/
+- ::Rouge::Formatters.const_get(formatter)
++ ::Rouge::Formatters.const_get(formatter, false)
+ else
+ # Available in Rouge 2.0 or later
+ ::Rouge::Formatters::HTMLLegacy
+diff --git a/test/test_files.rb b/test/test_files.rb
+index 30b9888..c985833 100644
+--- a/test/test_files.rb
++++ b/test/test_files.rb
+@@ -20,7 +20,7 @@ begin
+ end
+
+ # custom formatter for tests
+- class RougeHTMLFormatters < Kramdown::Converter::SyntaxHighlighter::Rouge.formatter_class
++ class Rouge::Formatters::RougeHTMLFormatters < Kramdown::Converter::SyntaxHighlighter::Rouge.formatter_class
+ tag 'rouge_html_formatters'
+
+ def stream(tokens, &b)
diff --git a/debian/patches/series b/debian/patches/series
index 2de2e62..2a2bfc1 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
skip_missing_math_engines.patch
fix_manpage_warnings.patch
Add-option-forbidden_inline_options.patch
+0004-Restrict-Rouge-formatters-to-Rouge-Formatters-namesp.patch
signature.asc
Description: PGP signature
