Bug#986366: marked as done (unblock: ruby-kramdown/2.3.0-5)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sun, 04 Apr 2021 18:19:46 +0000
with message-id <E1lT7Le-0000Ga-JB@respighi.debian.org>
and subject line unblock ruby-kramdown
has caused the Debian Bug report #986366,
regarding unblock: ruby-kramdown/2.3.0-5
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
986366: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986366
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: unblock: ruby-kramdown/2.3.0-5
• From: Antonio Terceiro <terceiro@debian.org>
• Date: Sun, 4 Apr 2021 10:31:29 -0300
• Message-id: <YGm/sTXVbECTY1Sz@debian.org>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package ruby-kramdown

[ Reason ]
Fixes a CVE and RC bug #985569

[ Tests ]
all autopkgtests of reverse dependencies passed.

[ Risks ]
The change should not cause regressions on non-malicious code.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock ruby-kramdown/2.3.0-5

commit b80244870c477d90090305f569eea39f7bd2b3f5
Author: Antonio Terceiro <terceiro@debian.org>
Date:   Sat Apr 3 10:40:54 2021 -0300

    Add upstream patch to fix arbitrary code execution vulnerability
    
    This is CVE-2021-28834
    
    Closes: #985569

diff --git a/debian/changelog b/debian/changelog
index 088c244..012d553 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+ruby-kramdown (2.3.0-5) unstable; urgency=medium
+
+  * Team upload.
+  * Add upstream patch to fix arbitrary code execution vulnerability
+    [CVE-2021-28834] (Closes: #985569)
+
+ -- Antonio Terceiro <terceiro@debian.org>  Sat, 03 Apr 2021 10:39:28 -0300
+
 ruby-kramdown (2.3.0-4) unstable; urgency=medium
 
   * Recommend ruby-rouge, for out-of-the-box syntax highlighting
diff --git a/debian/patches/0002-Restrict-Rouge-formatters-to-Rouge-Formatters-namesp.patch b/debian/patches/0002-Restrict-Rouge-formatters-to-Rouge-Formatters-namesp.patch
new file mode 100644
index 0000000..68457a6
--- /dev/null
+++ b/debian/patches/0002-Restrict-Rouge-formatters-to-Rouge-Formatters-namesp.patch
@@ -0,0 +1,69 @@
+From: Stan Hu <stanhu@gmail.com>
+Date: Sun, 14 Mar 2021 11:21:00 -0700
+Subject: Restrict Rouge formatters to Rouge::Formatters namespace
+
+ff0218a added support for specifying custom Rouge formatters with the
+constraint that the formatter be in theRouge::Formatters namespace, but
+it did not actually enforce this constraint. For example, this is valid:
+
+```ruby
+Rouge::Formatters.const_get('CSV')
+=> CSV
+```
+
+Adding the `false` parameter to `const_get` prevents this:
+
+```ruby
+Rouge::Formatters.const_get('CSV', false)
+NameError: uninitialized constant Rouge::Formatters::CSV
+```
+---
+ lib/kramdown/converter/syntax_highlighter/rouge.rb |  2 +-
+ test/test_files.rb                                 | 18 +++++++++++-------
+ 2 files changed, 12 insertions(+), 8 deletions(-)
+
+diff --git a/lib/kramdown/converter/syntax_highlighter/rouge.rb b/lib/kramdown/converter/syntax_highlighter/rouge.rb
+index c799526..ed6a4f8 100644
+--- a/lib/kramdown/converter/syntax_highlighter/rouge.rb
++++ b/lib/kramdown/converter/syntax_highlighter/rouge.rb
+@@ -70,7 +70,7 @@ module Kramdown::Converter::SyntaxHighlighter
+       when Class
+         formatter
+       when /\A[[:upper:]][[:alnum:]_]*\z/
+-        ::Rouge::Formatters.const_get(formatter)
++        ::Rouge::Formatters.const_get(formatter, false)
+       else
+         # Available in Rouge 2.0 or later
+         ::Rouge::Formatters::HTMLLegacy
+diff --git a/test/test_files.rb b/test/test_files.rb
+index 82ff6b0..3517e55 100644
+--- a/test/test_files.rb
++++ b/test/test_files.rb
+@@ -21,16 +21,20 @@ begin
+   end
+ 
+   # custom formatter for tests
+-  class RougeHTMLFormatters < Kramdown::Converter::SyntaxHighlighter::Rouge.formatter_class
++  module Rouge
++    module Formatters
++      class RougeHTMLFormatters < Kramdown::Converter::SyntaxHighlighter::Rouge.formatter_class
+ 
+-    tag 'rouge_html_formatters'
++        tag 'rouge_html_formatters'
+ 
+-    def stream(tokens, &b)
+-      yield %(<div class="custom-class">)
+-      super
+-      yield %(</div>)
+-    end
++        def stream(tokens, &b)
++          yield %(<div class="custom-class">)
++          super
++          yield %(</div>)
++        end
+ 
++      end
++    end
+   end
+ rescue LoadError, SyntaxError, NameError
+ end
diff --git a/debian/patches/series b/debian/patches/series
index 7d4b5b1..f8d5d26 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
 fix_manpage_warnings.patch
+0002-Restrict-Rouge-formatters-to-Rouge-Formatters-namesp.patch

Attachment: signature.asc
Description: PGP signature

--- End Message ---

--- Begin Message ---

• To: 986366-done@bugs.debian.org
• Subject: unblock ruby-kramdown
• From: Sebastian Ramacher <sramacher@respighi.debian.org>
• Date: Sun, 04 Apr 2021 18:19:46 +0000
• Message-id: <E1lT7Le-0000Ga-JB@respighi.debian.org>

Unblocked.

--- End Message ---