Bacckport upstream patch for CVE-2020-26298 (bug 1915370)

2 years ago · 0bc4066bad
parent 8d17959621
commit 0bc4066bad
2 changed files with 69 additions and 1 deletions
--- a/redcarpet-3.3.2-CVE-2020-26298.patch
+++ b/redcarpet-3.3.2-CVE-2020-26298.patch
@ -0,0 +1,56 @@
+From a699c82292b17c8e6a62e1914d5eccc252272793 Mon Sep 17 00:00:00 2001
+From: Robin Dupret <robin.dupret@hey.com>
+Date: Tue, 15 Dec 2020 20:57:32 +0100
+Subject: [PATCH] Fix a security issue using `:quote` with `:escape_html`
+
+Reported by @johan-smits.
+---
+ CHANGELOG.md          |  7 +++++++
+ ext/redcarpet/html.c  |  9 ++++++++-
+ lib/redcarpet.rb      |  2 +-
+ redcarpet.gemspec     |  4 ++--
+ test/markdown_test.rb | 10 ++++++++++
+ 5 files changed, 28 insertions(+), 4 deletions(-)
+
+diff --git a/ext/redcarpet/html.c b/ext/redcarpet/html.c
+index 805ddd8e..785f780f 100644
+--- a/ext/redcarpet/html.c
+++ b/ext/redcarpet/html.c
+@@ -255,8 +255,15 @@ rndr_quote(struct buf *ob, const struct buf *text, void *opaque)
+ 	if (!text || !text->size)
+ 		return 0;
+ 
+	struct html_renderopt *options = opaque;
+
+ 	BUFPUTSL(ob, "<q>");
+-	bufput(ob, text->data, text->size);
+
+	if (options->flags & HTML_ESCAPE)
+		escape_html(ob, text->data, text->size);
+	else
+		bufput(ob, text->data, text->size);
+
+ 	BUFPUTSL(ob, "</q>");
+ 
+ 	return 1;
+diff --git a/test/markdown_test.rb b/test/markdown_test.rb
+index 4347be9b..68de1255 100644
+--- a/test/markdown_test.rb
+++ b/test/markdown_test.rb
+@@ -220,6 +220,16 @@ def test_quote_flag_works
+     assert output.include? '<q>quote</q>'
+   end
+ 
+  def test_quote_flag_honors_escape_html
+    text = 'We are not "<svg/onload=pwned>"'
+
+    output_enabled  = render(text, with: [:quote, :escape_html])
+    output_disabled = render(text, with: [:quote])
+
+    assert_equal "<p>We are not <q>&lt;svg/onload=pwned&gt;</q></p>\n", output_enabled
+    assert_equal "<p>We are not <q><svg/onload=pwned></q></p>\n", output_disabled
+  end
+
+   def test_that_fenced_flag_works
+     text = <<fenced
+ This is a simple test
--- a/rubygem-redcarpet.spec
+++ b/rubygem-redcarpet.spec
@ -2,13 +2,21 @@

 Name:		rubygem-%{gem_name}
 Version:	3.3.2
-Release:	25%{?dist}
+Release:	26%{?dist}

 Summary:	A fast, safe and extensible Markdown to (X)HTML parser
 # https://github.com/vmg/redcarpet/issues/502
 License:	MIT and ISC
 URL:		http://github.com/vmg/redcarpet
 Source0:	https://rubygems.org/gems/%{gem_name}-%{version}.gem
+# https://github.com/advisories/GHSA-q3wr-qw3g-3p4h
+# https://github.com/vmg/redcarpet/commit/a699c82292b17c8e6a62e1914d5eccc252272793
+# https://nvd.nist.gov/vuln/detail/CVE-2020-26298
+# Fix a security issue using :quote with :escape_html
+# Fixed in 3.5.1
+# A bit modified for 3.3.2
+# Note that 14942b4f5ef8dbaeeff8d9212f098391d7c1fbdc does chomp, reverting this
+Patch0:	%{gem_name}-3.3.2-CVE-2020-26298.patch

 BuildRequires:	gcc
 BuildRequires:	ruby(release)
@ -29,6 +37,7 @@ Documentation for %{name}.

 %prep
 %setup -q -n %{gem_name}-%{version}
+%patch -P0 -p1

 %build
 gem build ../%{gem_name}-%{version}.gemspec
@ -87,6 +96,9 @@ popd


 %changelog
+* Sun Apr 30 2023 Mamoru TASAKA <mtasaka@fedoraproject.org> - 3.3.2-26
+- Bacckport upstream patch for CVE-2020-26298 (bug 1915370)
+
 * Fri Jan 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 3.3.2-25
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild