diff --git a/CVE-2020-14001.patch b/CVE-2020-14001.patch new file mode 100644 index 0000000..06ff652 --- /dev/null +++ b/CVE-2020-14001.patch @@ -0,0 +1,69 @@ +From: Thomas Leitner +Date: Sat, 27 Jun 2020 14:47:21 +0200 +Subject: Add option forbidden_inline_options +Origin:https://github.com/gettalong/kramdown/commit/1b8fd33c3120bfc6e5164b449e2c2fc9c9306fde +Bug-Debian: https://bugs.debian.org/965305 +Bug-Debian-Security:https://security-tracker.debian.org/tracker/CVE-2020-14001 + +It is sometimes necessary to restrict the options that can be set +inline, ie. using the {::options ...} extensions. + +By default, the template option is now forbidden to avoid possible +security problems. This addresses CVE-2020-14001. +--- + lib/kramdown/options.rb | 10 ++++++++++ + lib/kramdown/parser/kramdown/extensions.rb | 6 ++++++ + test/testcases/block/12_extension/options.text | 2 ++ + 3 files changed, 18 insertions(+) + +diff --git a/lib/kramdown/options.rb b/lib/kramdown/options.rb +index d0f1f18..2055fb9 100644 +--- a/lib/kramdown/options.rb ++++ b/lib/kramdown/options.rb +@@ -562,6 +562,16 @@ module Kramdown + Used by: HTML + EOF + ++ define(:forbidden_inline_options, Object, %w[template], <<~EOF) do |val| ++ Defines the options that may not be set using the {::options} extension ++ ++ Default: template ++ Used by: HTML converter ++ EOF ++ val.map! {|item| item.kind_of?(String) ? str_to_sym(item) : item } ++ simple_array_validator(val, :forbidden_inline_options) ++ end ++ + end + + end +diff --git a/lib/kramdown/parser/kramdown/extensions.rb b/lib/kramdown/parser/kramdown/extensions.rb +index 493dcf7..637d0fa 100644 +--- a/lib/kramdown/parser/kramdown/extensions.rb ++++ b/lib/kramdown/parser/kramdown/extensions.rb +@@ -110,6 +110,12 @@ module Kramdown + opts.select do |k, v| + k = k.to_sym + if Kramdown::Options.defined?(k) ++ if @options[:forbidden_inline_options].include?(k) || ++ k == :forbidden_inline_options ++ warning("Option #{k} may not be set inline") ++ next false ++ end ++ + begin + val = Kramdown::Options.parse(k, v) + @options[k] = val +diff --git a/test/testcases/block/12_extension/options.text b/test/testcases/block/12_extension/options.text +index 5991ab7..b63f34b 100644 +--- a/test/testcases/block/12_extension/options.text ++++ b/test/testcases/block/12_extension/options.text +@@ -19,3 +19,5 @@ some *para* + Some text[^ab]. + + [^ab]: Some text. ++ ++{::options template="/etc/passwd" /} +-- +2.27.0 + diff --git a/rubygem-kramdown.spec b/rubygem-kramdown.spec index 9d4ca77..c40c72f 100644 --- a/rubygem-kramdown.spec +++ b/rubygem-kramdown.spec @@ -1,12 +1,13 @@ %global gem_name kramdown Name: rubygem-%{gem_name} Version: 2.1.0 -Release: 2 +Release: 3 Summary: A fast pure Ruby yet-another-markdown-parser License: MIT URL: http://kramdown.rubyforge.org Source0: https://rubygems.org/gems/%{gem_name}-%{version}.gem Patch0000: CVE-2021-28834.patch +Patch0001: CVE-2020-14001.patch BuildRequires: ruby(release) rubygems-devel rubygem(minitest) >= 5 rubygem(rouge) BuildRequires: rubygem(test-unit) tidy tex tex(acronym.sty) tex(amssymb.sty) BuildRequires: tex(amsmath.sty) tex(amsthm.sty) tex(amsfonts.sty) tex(utf8x.def) tex-ec @@ -84,6 +85,9 @@ popd %doc %{gem_docdir} %changelog +* Fri Jul 23 2021 yaoxin - 2.1.0-3 +- fix CVE-2020-14001 + * Mon Mar 29 2021 wangyue - 2.1.0-2 - fix CVE-2021-28834