fix CVE-2020-14001

CVE-2020-14001.patch

@@ -0,0 +1,69 @@
+From: Thomas Leitner <t_leitner@gmx.at>
+Date: Sat, 27 Jun 2020 14:47:21 +0200
+Subject: Add option forbidden_inline_options
+Origin:https://github.com/gettalong/kramdown/commit/1b8fd33c3120bfc6e5164b449e2c2fc9c9306fde
+Bug-Debian: https://bugs.debian.org/965305
+Bug-Debian-Security:https://security-tracker.debian.org/tracker/CVE-2020-14001
+
+It is sometimes necessary to restrict the options that can be set
+inline, ie. using the {::options ...} extensions.
+
+By default, the template option is now forbidden to avoid possible
+security problems. This addresses CVE-2020-14001.
+---
+ lib/kramdown/options.rb                        | 10 ++++++++++
+ lib/kramdown/parser/kramdown/extensions.rb     |  6 ++++++
+ test/testcases/block/12_extension/options.text |  2 ++
+ 3 files changed, 18 insertions(+)
+
+diff --git a/lib/kramdown/options.rb b/lib/kramdown/options.rb
+index d0f1f18..2055fb9 100644
+--- a/lib/kramdown/options.rb
++++ b/lib/kramdown/options.rb
+@@ -562,6 +562,16 @@ module Kramdown
+       Used by: HTML
+     EOF
+ 
++    define(:forbidden_inline_options, Object, %w[template], <<~EOF) do |val|
++      Defines the options that may not be set using the {::options} extension
++
++      Default: template
++      Used by: HTML converter
++    EOF
++      val.map! {|item| item.kind_of?(String) ? str_to_sym(item) : item }
++      simple_array_validator(val, :forbidden_inline_options)
++    end
++
+   end
+ 
+ end
+diff --git a/lib/kramdown/parser/kramdown/extensions.rb b/lib/kramdown/parser/kramdown/extensions.rb
+index 493dcf7..637d0fa 100644
+--- a/lib/kramdown/parser/kramdown/extensions.rb
++++ b/lib/kramdown/parser/kramdown/extensions.rb
+@@ -110,6 +110,12 @@ module Kramdown
+           opts.select do |k, v|
+             k = k.to_sym
+             if Kramdown::Options.defined?(k)
++              if @options[:forbidden_inline_options].include?(k) ||
++                  k == :forbidden_inline_options
++                warning("Option #{k} may not be set inline")
++                next false
++              end
++
+               begin
+                 val = Kramdown::Options.parse(k, v)
+                 @options[k] = val
+diff --git a/test/testcases/block/12_extension/options.text b/test/testcases/block/12_extension/options.text
+index 5991ab7..b63f34b 100644
+--- a/test/testcases/block/12_extension/options.text
++++ b/test/testcases/block/12_extension/options.text
+@@ -19,3 +19,5 @@ some <span>*para*</span>
+ Some text[^ab].
+ 
+ [^ab]: Some text.
++
++{::options template="/etc/passwd" /}
+-- 
+2.27.0
+

rubygem-kramdown.spec

@@ -1,12 +1,13 @@
 %global gem_name kramdown
 Name:                rubygem-%{gem_name}
 Version:             2.1.0
-Release:             2
+Release:             3
 Summary:             A fast pure Ruby yet-another-markdown-parser
 License:             MIT
 URL:                 http://kramdown.rubyforge.org
 Source0:             https://rubygems.org/gems/%{gem_name}-%{version}.gem
 Patch0000:           CVE-2021-28834.patch
+Patch0001:           CVE-2020-14001.patch
 BuildRequires:       ruby(release) rubygems-devel rubygem(minitest) >= 5 rubygem(rouge)
 BuildRequires:       rubygem(test-unit) tidy tex tex(acronym.sty) tex(amssymb.sty)
 BuildRequires:       tex(amsmath.sty) tex(amsthm.sty) tex(amsfonts.sty) tex(utf8x.def) tex-ec
@@ -84,6 +85,9 @@ popd
 %doc %{gem_docdir}
 
 %changelog
+* Fri Jul 23 2021 yaoxin <yaoxin30@huawei.com> - 2.1.0-3
+- fix CVE-2020-14001
+
 * Mon Mar 29 2021 wangyue <wangyue92@huawei.com> - 2.1.0-2
 - fix CVE-2021-28834