Your message dated Sun, 04 Apr 2021 18:19:46 +0000 with message-id <E1lT7Le-0000Ga-JB@respighi.debian.org> and subject line unblock ruby-kramdown has caused the Debian Bug report #986366, regarding unblock: ruby-kramdown/2.3.0-5 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 986366: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986366 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: unblock: ruby-kramdown/2.3.0-5
- From: Antonio Terceiro <terceiro@debian.org>
- Date: Sun, 4 Apr 2021 10:31:29 -0300
- Message-id: <YGm/sTXVbECTY1Sz@debian.org>
Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock Please unblock package ruby-kramdown [ Reason ] Fixes a CVE and RC bug #985569 [ Tests ] all autopkgtests of reverse dependencies passed. [ Risks ] The change should not cause regressions on non-malicious code. [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing unblock ruby-kramdown/2.3.0-5commit b80244870c477d90090305f569eea39f7bd2b3f5 Author: Antonio Terceiro <terceiro@debian.org> Date: Sat Apr 3 10:40:54 2021 -0300 Add upstream patch to fix arbitrary code execution vulnerability This is CVE-2021-28834 Closes: #985569 diff --git a/debian/changelog b/debian/changelog index 088c244..012d553 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +ruby-kramdown (2.3.0-5) unstable; urgency=medium + + * Team upload. + * Add upstream patch to fix arbitrary code execution vulnerability + [CVE-2021-28834] (Closes: #985569) + + -- Antonio Terceiro <terceiro@debian.org> Sat, 03 Apr 2021 10:39:28 -0300 + ruby-kramdown (2.3.0-4) unstable; urgency=medium * Recommend ruby-rouge, for out-of-the-box syntax highlighting diff --git a/debian/patches/0002-Restrict-Rouge-formatters-to-Rouge-Formatters-namesp.patch b/debian/patches/0002-Restrict-Rouge-formatters-to-Rouge-Formatters-namesp.patch new file mode 100644 index 0000000..68457a6 --- /dev/null +++ b/debian/patches/0002-Restrict-Rouge-formatters-to-Rouge-Formatters-namesp.patch @@ -0,0 +1,69 @@ +From: Stan Hu <stanhu@gmail.com> +Date: Sun, 14 Mar 2021 11:21:00 -0700 +Subject: Restrict Rouge formatters to Rouge::Formatters namespace + +ff0218a added support for specifying custom Rouge formatters with the +constraint that the formatter be in theRouge::Formatters namespace, but +it did not actually enforce this constraint. For example, this is valid: + +```ruby +Rouge::Formatters.const_get('CSV') +=> CSV +``` + +Adding the `false` parameter to `const_get` prevents this: + +```ruby +Rouge::Formatters.const_get('CSV', false) +NameError: uninitialized constant Rouge::Formatters::CSV +``` +--- + lib/kramdown/converter/syntax_highlighter/rouge.rb | 2 +- + test/test_files.rb | 18 +++++++++++------- + 2 files changed, 12 insertions(+), 8 deletions(-) + +diff --git a/lib/kramdown/converter/syntax_highlighter/rouge.rb b/lib/kramdown/converter/syntax_highlighter/rouge.rb +index c799526..ed6a4f8 100644 +--- a/lib/kramdown/converter/syntax_highlighter/rouge.rb ++++ b/lib/kramdown/converter/syntax_highlighter/rouge.rb +@@ -70,7 +70,7 @@ module Kramdown::Converter::SyntaxHighlighter + when Class + formatter + when /\A[[:upper:]][[:alnum:]_]*\z/ +- ::Rouge::Formatters.const_get(formatter) ++ ::Rouge::Formatters.const_get(formatter, false) + else + # Available in Rouge 2.0 or later + ::Rouge::Formatters::HTMLLegacy +diff --git a/test/test_files.rb b/test/test_files.rb +index 82ff6b0..3517e55 100644 +--- a/test/test_files.rb ++++ b/test/test_files.rb +@@ -21,16 +21,20 @@ begin + end + + # custom formatter for tests +- class RougeHTMLFormatters < Kramdown::Converter::SyntaxHighlighter::Rouge.formatter_class ++ module Rouge ++ module Formatters ++ class RougeHTMLFormatters < Kramdown::Converter::SyntaxHighlighter::Rouge.formatter_class + +- tag 'rouge_html_formatters' ++ tag 'rouge_html_formatters' + +- def stream(tokens, &b) +- yield %(<div class="custom-class">) +- super +- yield %(</div>) +- end ++ def stream(tokens, &b) ++ yield %(<div class="custom-class">) ++ super ++ yield %(</div>) ++ end + ++ end ++ end + end + rescue LoadError, SyntaxError, NameError + end diff --git a/debian/patches/series b/debian/patches/series index 7d4b5b1..f8d5d26 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1 +1,2 @@ fix_manpage_warnings.patch +0002-Restrict-Rouge-formatters-to-Rouge-Formatters-namesp.patchAttachment: signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
- To: 986366-done@bugs.debian.org
- Subject: unblock ruby-kramdown
- From: Sebastian Ramacher <sramacher@respighi.debian.org>
- Date: Sun, 04 Apr 2021 18:19:46 +0000
- Message-id: <E1lT7Le-0000Ga-JB@respighi.debian.org>
Unblocked.
--- End Message ---