Backport upstream patch for CVE-2020-14001 (bug 1858395)

rubygem-kramdown-2.2.1-0001-Add-option-forbidden_inline_options.patch

@@ -0,0 +1,67 @@
+From 1b8fd33c3120bfc6e5164b449e2c2fc9c9306fde Mon Sep 17 00:00:00 2001
+From: Thomas Leitner <t_leitner@gmx.at>
+Date: Sat, 27 Jun 2020 14:47:21 +0200
+Subject: [PATCH 1/2] Add option forbidden_inline_options
+
+It is sometimes necessary to restrict the options that can be set
+inline, ie. using the {::options ...} extensions.
+
+By default, the template option is now forbidden to avoid possible
+security problems. This addresses CVE-2020-14001.
+---
+ lib/kramdown/options.rb                        | 10 ++++++++++
+ lib/kramdown/parser/kramdown/extensions.rb     |  6 ++++++
+ test/testcases/block/12_extension/options.text |  2 ++
+ 3 files changed, 18 insertions(+)
+
+diff --git a/lib/kramdown/options.rb b/lib/kramdown/options.rb
+index ea67913..0214e28 100644
+--- a/lib/kramdown/options.rb
++++ b/lib/kramdown/options.rb
+@@ -589,6 +589,16 @@ module Kramdown
+       Used by: HTML converter
+     EOF
+ 
++    define(:forbidden_inline_options, Object, %w[template], <<~EOF) do |val|
++      Defines the options that may not be set using the {::options} extension
++
++      Default: template
++      Used by: HTML converter
++    EOF
++      val.map! {|item| item.kind_of?(String) ? str_to_sym(item) : item }
++      simple_array_validator(val, :forbidden_inline_options)
++    end
++
+   end
+ 
+ end
+diff --git a/lib/kramdown/parser/kramdown/extensions.rb b/lib/kramdown/parser/kramdown/extensions.rb
+index 493dcf7..637d0fa 100644
+--- a/lib/kramdown/parser/kramdown/extensions.rb
++++ b/lib/kramdown/parser/kramdown/extensions.rb
+@@ -110,6 +110,12 @@ module Kramdown
+           opts.select do |k, v|
+             k = k.to_sym
+             if Kramdown::Options.defined?(k)
++              if @options[:forbidden_inline_options].include?(k) ||
++                  k == :forbidden_inline_options
++                warning("Option #{k} may not be set inline")
++                next false
++              end
++
+               begin
+                 val = Kramdown::Options.parse(k, v)
+                 @options[k] = val
+diff --git a/test/testcases/block/12_extension/options.text b/test/testcases/block/12_extension/options.text
+index 5991ab7..b63f34b 100644
+--- a/test/testcases/block/12_extension/options.text
++++ b/test/testcases/block/12_extension/options.text
+@@ -19,3 +19,5 @@ some <span>*para*</span>
+ Some text[^ab].
+ 
+ [^ab]: Some text.
++
++{::options template="/etc/passwd" /}
+-- 
+2.26.2
+

rubygem-kramdown.spec

@@ -3,12 +3,16 @@
 
 Name: rubygem-%{gem_name}
 Version: 2.2.1
-Release: 3%{?dist}
+Release: 4%{?dist}
 Summary: Fast, pure-Ruby Markdown-superset converter
 
 License:	MIT
 URL:		http://kramdown.rubyforge.org
 Source0:	https://rubygems.org/gems/%{gem_name}-%{version}.gem
+# https://bugzilla.redhat.com/show_bug.cgi?id=1858395
+# https://github.com/gettalong/kramdown/commit/1b8fd33c3120bfc6e5164b449e2c2fc9c9306fde
+# CVE-2020-14001
+Patch1:	rubygem-kramdown-2.2.1-0001-Add-option-forbidden_inline_options.patch
 BuildRequires:	ruby(release)
 BuildRequires:	rubygems-devel
 BuildRequires:	rubygem(minitest) >= 5
@@ -47,6 +51,7 @@ Documentation for %{name}
 %prep
 gem unpack %{SOURCE0}
 %setup -q -D -T -n  %{gem_name}-%{version}
+%patch1 -p1
 gem spec %{SOURCE0} -l --ruby > %{gem_name}.gemspec
 # 2.2.1 explicily adds rexml runtime dependency, which is actually provided by system ruby.
 # So writing it to kramdown gemspec is not strictly needed, removing for now
@@ -108,6 +113,9 @@ popd
 %doc	%{gem_docdir}
 
 %changelog
+* Mon Aug 10 2020 Mamoru TASAKA <mtasaka@fedoraproject.org> - 2.2.1-4
+- Backport upstream patch for CVE-2020-14001 (bug 1858395)
+
 * Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.1-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild