diff --git a/rubygem-kramdown-2.3.x-restrict-rouge-formatter-namespace-CVE-2021-28834.patch b/rubygem-kramdown-2.3.x-restrict-rouge-formatter-namespace-CVE-2021-28834.patch new file mode 100644 index 0000000..fd31cb3 --- /dev/null +++ b/rubygem-kramdown-2.3.x-restrict-rouge-formatter-namespace-CVE-2021-28834.patch @@ -0,0 +1,70 @@ +From d6a1cbcb2caa2f8a70927f176070d126b2422760 Mon Sep 17 00:00:00 2001 +From: Stan Hu +Date: Sun, 14 Mar 2021 11:21:00 -0700 +Subject: [PATCH] Restrict Rouge formatters to Rouge::Formatters namespace + +ff0218a added support for specifying custom Rouge formatters with the +constraint that the formatter be in theRouge::Formatters namespace, but +it did not actually enforce this constraint. For example, this is valid: + +```ruby +Rouge::Formatters.const_get('CSV') +=> CSV +``` + +Adding the `false` parameter to `const_get` prevents this: + +```ruby +Rouge::Formatters.const_get('CSV', false) +NameError: uninitialized constant Rouge::Formatters::CSV +``` +--- + .../converter/syntax_highlighter/rouge.rb | 2 +- + test/test_files.rb | 18 +++++++++++------- + 2 files changed, 12 insertions(+), 8 deletions(-) + +diff --git a/lib/kramdown/converter/syntax_highlighter/rouge.rb b/lib/kramdown/converter/syntax_highlighter/rouge.rb +index c799526c..ed6a4f83 100644 +--- a/lib/kramdown/converter/syntax_highlighter/rouge.rb ++++ b/lib/kramdown/converter/syntax_highlighter/rouge.rb +@@ -70,7 +70,7 @@ def self.formatter_class(opts = {}) + when Class + formatter + when /\A[[:upper:]][[:alnum:]_]*\z/ +- ::Rouge::Formatters.const_get(formatter) ++ ::Rouge::Formatters.const_get(formatter, false) + else + # Available in Rouge 2.0 or later + ::Rouge::Formatters::HTMLLegacy +diff --git a/test/test_files.rb b/test/test_files.rb +index b446b3bc..7e2ccad3 100644 +--- a/test/test_files.rb ++++ b/test/test_files.rb +@@ -21,16 +21,20 @@ + end + + # custom formatter for tests +- class RougeHTMLFormatters < Kramdown::Converter::SyntaxHighlighter::Rouge.formatter_class ++ module Rouge ++ module Formatters ++ class RougeHTMLFormatters < Kramdown::Converter::SyntaxHighlighter::Rouge.formatter_class + +- tag 'rouge_html_formatters' ++ tag 'rouge_html_formatters' + +- def stream(tokens, &b) +- yield %(
) +- super +- yield %(
) +- end ++ def stream(tokens, &b) ++ yield %(
) ++ super ++ yield %(
) ++ end + ++ end ++ end + end + rescue LoadError, SyntaxError, NameError + end diff --git a/rubygem-kramdown.spec b/rubygem-kramdown.spec index 7e55a08..2cb4a3c 100644 --- a/rubygem-kramdown.spec +++ b/rubygem-kramdown.spec @@ -3,7 +3,7 @@ Name: rubygem-%{gem_name} Version: 2.3.0 -Release: 2%{?dist} +Release: 3%{?dist} Summary: Fast, pure-Ruby Markdown-superset converter License: MIT @@ -11,6 +11,9 @@ URL: http://kramdown.rubyforge.org Source0: https://rubygems.org/gems/%{gem_name}-%{version}.gem # https://github.com/gettalong/kramdown/commit/e1beb51af7fe4ecb85dbab7328f47a23c86c7df2 Patch2: rubygem-kramdown-2.2.1-rouge-3_26_0-testsuite.patch +# https://github.com/gettalong/kramdown/pull/708 +# From: https://github.com/gettalong/kramdown/commit/d6a1cbcb2caa2f8a70927f176070d126b2422760 +Patch3: rubygem-kramdown-2.3.x-restrict-rouge-formatter-namespace-CVE-2021-28834.patch BuildRequires: ruby(release) BuildRequires: rubygems-devel BuildRequires: rubygem(minitest) >= 5 @@ -50,6 +53,7 @@ Documentation for %{name} %prep %setup -q -n %{gem_name}-%{version} %patch2 -p1 +%patch3 -p1 mv ../%{gem_name}-%{version}.gemspec . %build @@ -109,6 +113,9 @@ popd %doc %{gem_docdir} %changelog +* Sun Mar 21 2021 Mamoru TASAKA - 2.3.0-3 +- Apply upstream fix for CVE-2021-28834 (rouge formatter namespace restriction) + * Tue Feb 16 2021 Mamoru TASAKA - 2.3.0-2 - Use recent packaging style