Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package ruby-kramdown [ Reason ] Fixes a CVE and RC bug #985569 [ Tests ] all autopkgtests of reverse dependencies passed. [ Risks ] The change should not cause regressions on non-malicious code. [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing unblock ruby-kramdown/2.3.0-5
commit b80244870c477d90090305f569eea39f7bd2b3f5 Author: Antonio Terceiro <terce...@debian.org> Date: Sat Apr 3 10:40:54 2021 -0300 Add upstream patch to fix arbitrary code execution vulnerability This is CVE-2021-28834 Closes: #985569 diff --git a/debian/changelog b/debian/changelog index 088c244..012d553 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +ruby-kramdown (2.3.0-5) unstable; urgency=medium + + * Team upload. + * Add upstream patch to fix arbitrary code execution vulnerability + [CVE-2021-28834] (Closes: #985569) + + -- Antonio Terceiro <terce...@debian.org> Sat, 03 Apr 2021 10:39:28 -0300 + ruby-kramdown (2.3.0-4) unstable; urgency=medium * Recommend ruby-rouge, for out-of-the-box syntax highlighting diff --git a/debian/patches/0002-Restrict-Rouge-formatters-to-Rouge-Formatters-namesp.patch b/debian/patches/0002-Restrict-Rouge-formatters-to-Rouge-Formatters-namesp.patch new file mode 100644 index 0000000..68457a6 --- /dev/null +++ b/debian/patches/0002-Restrict-Rouge-formatters-to-Rouge-Formatters-namesp.patch @@ -0,0 +1,69 @@ +From: Stan Hu <sta...@gmail.com> +Date: Sun, 14 Mar 2021 11:21:00 -0700 +Subject: Restrict Rouge formatters to Rouge::Formatters namespace + +ff0218a added support for specifying custom Rouge formatters with the +constraint that the formatter be in theRouge::Formatters namespace, but +it did not actually enforce this constraint. For example, this is valid: + +```ruby +Rouge::Formatters.const_get('CSV') +=> CSV +``` + +Adding the `false` parameter to `const_get` prevents this: + +```ruby +Rouge::Formatters.const_get('CSV', false) +NameError: uninitialized constant Rouge::Formatters::CSV +``` +--- + lib/kramdown/converter/syntax_highlighter/rouge.rb | 2 +- + test/test_files.rb | 18 +++++++++++------- + 2 files changed, 12 insertions(+), 8 deletions(-) + +diff --git a/lib/kramdown/converter/syntax_highlighter/rouge.rb b/lib/kramdown/converter/syntax_highlighter/rouge.rb +index c799526..ed6a4f8 100644 +--- a/lib/kramdown/converter/syntax_highlighter/rouge.rb ++++ b/lib/kramdown/converter/syntax_highlighter/rouge.rb +@@ -70,7 +70,7 @@ module Kramdown::Converter::SyntaxHighlighter + when Class + formatter + when /\A[[:upper:]][[:alnum:]_]*\z/ +- ::Rouge::Formatters.const_get(formatter) ++ ::Rouge::Formatters.const_get(formatter, false) + else + # Available in Rouge 2.0 or later + ::Rouge::Formatters::HTMLLegacy +diff --git a/test/test_files.rb b/test/test_files.rb +index 82ff6b0..3517e55 100644 +--- a/test/test_files.rb ++++ b/test/test_files.rb +@@ -21,16 +21,20 @@ begin + end + + # custom formatter for tests +- class RougeHTMLFormatters < Kramdown::Converter::SyntaxHighlighter::Rouge.formatter_class ++ module Rouge ++ module Formatters ++ class RougeHTMLFormatters < Kramdown::Converter::SyntaxHighlighter::Rouge.formatter_class + +- tag 'rouge_html_formatters' ++ tag 'rouge_html_formatters' + +- def stream(tokens, &b) +- yield %(<div class="custom-class">) +- super +- yield %(</div>) +- end ++ def stream(tokens, &b) ++ yield %(<div class="custom-class">) ++ super ++ yield %(</div>) ++ end + ++ end ++ end + end + rescue LoadError, SyntaxError, NameError + end diff --git a/debian/patches/series b/debian/patches/series index 7d4b5b1..f8d5d26 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1 +1,2 @@ fix_manpage_warnings.patch +0002-Restrict-Rouge-formatters-to-Rouge-Formatters-namesp.patch
signature.asc
Description: PGP signature