Apply upstream fix for CVE-2021-28834 (rouge formatter namespace restriction)

This commit is contained in:
Mamoru TASAKA 2021-03-21 15:52:47 +09:00
parent 3c0d31911d
commit 8382667464
2 changed files with 78 additions and 1 deletions

View File

@ -0,0 +1,70 @@
From d6a1cbcb2caa2f8a70927f176070d126b2422760 Mon Sep 17 00:00:00 2001
From: Stan Hu <stanhu@gmail.com>
Date: Sun, 14 Mar 2021 11:21:00 -0700
Subject: [PATCH] Restrict Rouge formatters to Rouge::Formatters namespace
ff0218a added support for specifying custom Rouge formatters with the
constraint that the formatter be in theRouge::Formatters namespace, but
it did not actually enforce this constraint. For example, this is valid:
```ruby
Rouge::Formatters.const_get('CSV')
=> CSV
```
Adding the `false` parameter to `const_get` prevents this:
```ruby
Rouge::Formatters.const_get('CSV', false)
NameError: uninitialized constant Rouge::Formatters::CSV
```
---
.../converter/syntax_highlighter/rouge.rb | 2 +-
test/test_files.rb | 18 +++++++++++-------
2 files changed, 12 insertions(+), 8 deletions(-)
diff --git a/lib/kramdown/converter/syntax_highlighter/rouge.rb b/lib/kramdown/converter/syntax_highlighter/rouge.rb
index c799526c..ed6a4f83 100644
--- a/lib/kramdown/converter/syntax_highlighter/rouge.rb
+++ b/lib/kramdown/converter/syntax_highlighter/rouge.rb
@@ -70,7 +70,7 @@ def self.formatter_class(opts = {})
when Class
formatter
when /\A[[:upper:]][[:alnum:]_]*\z/
- ::Rouge::Formatters.const_get(formatter)
+ ::Rouge::Formatters.const_get(formatter, false)
else
# Available in Rouge 2.0 or later
::Rouge::Formatters::HTMLLegacy
diff --git a/test/test_files.rb b/test/test_files.rb
index b446b3bc..7e2ccad3 100644
--- a/test/test_files.rb
+++ b/test/test_files.rb
@@ -21,16 +21,20 @@
end
# custom formatter for tests
- class RougeHTMLFormatters < Kramdown::Converter::SyntaxHighlighter::Rouge.formatter_class
+ module Rouge
+ module Formatters
+ class RougeHTMLFormatters < Kramdown::Converter::SyntaxHighlighter::Rouge.formatter_class
- tag 'rouge_html_formatters'
+ tag 'rouge_html_formatters'
- def stream(tokens, &b)
- yield %(<div class="custom-class">)
- super
- yield %(</div>)
- end
+ def stream(tokens, &b)
+ yield %(<div class="custom-class">)
+ super
+ yield %(</div>)
+ end
+ end
+ end
end
rescue LoadError, SyntaxError, NameError
end

View File

@ -3,7 +3,7 @@
Name: rubygem-%{gem_name} Name: rubygem-%{gem_name}
Version: 2.3.0 Version: 2.3.0
Release: 2%{?dist} Release: 3%{?dist}
Summary: Fast, pure-Ruby Markdown-superset converter Summary: Fast, pure-Ruby Markdown-superset converter
License: MIT License: MIT
@ -11,6 +11,9 @@ URL: http://kramdown.rubyforge.org
Source0: https://rubygems.org/gems/%{gem_name}-%{version}.gem Source0: https://rubygems.org/gems/%{gem_name}-%{version}.gem
# https://github.com/gettalong/kramdown/commit/e1beb51af7fe4ecb85dbab7328f47a23c86c7df2 # https://github.com/gettalong/kramdown/commit/e1beb51af7fe4ecb85dbab7328f47a23c86c7df2
Patch2: rubygem-kramdown-2.2.1-rouge-3_26_0-testsuite.patch Patch2: rubygem-kramdown-2.2.1-rouge-3_26_0-testsuite.patch
# https://github.com/gettalong/kramdown/pull/708
# From: https://github.com/gettalong/kramdown/commit/d6a1cbcb2caa2f8a70927f176070d126b2422760
Patch3: rubygem-kramdown-2.3.x-restrict-rouge-formatter-namespace-CVE-2021-28834.patch
BuildRequires: ruby(release) BuildRequires: ruby(release)
BuildRequires: rubygems-devel BuildRequires: rubygems-devel
BuildRequires: rubygem(minitest) >= 5 BuildRequires: rubygem(minitest) >= 5
@ -50,6 +53,7 @@ Documentation for %{name}
%prep %prep
%setup -q -n %{gem_name}-%{version} %setup -q -n %{gem_name}-%{version}
%patch2 -p1 %patch2 -p1
%patch3 -p1
mv ../%{gem_name}-%{version}.gemspec . mv ../%{gem_name}-%{version}.gemspec .
%build %build
@ -109,6 +113,9 @@ popd
%doc %{gem_docdir} %doc %{gem_docdir}
%changelog %changelog
* Sun Mar 21 2021 Mamoru TASAKA <mtasaka@fedoraproject.org> - 2.3.0-3
- Apply upstream fix for CVE-2021-28834 (rouge formatter namespace restriction)
* Tue Feb 16 2021 Mamoru TASAKA <mtasaka@fedoraproject.org> - 2.3.0-2 * Tue Feb 16 2021 Mamoru TASAKA <mtasaka@fedoraproject.org> - 2.3.0-2
- Use recent packaging style - Use recent packaging style