rpms
/
rubygem-redcarpet
20
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

import rubygem-redcarpet-3.3.2-26.el9

Browse Source
i9cf changed/i9ce/rubygem-redcarpet-3.3.2-26.el9
MSVSphere Packaging Team 1 year ago
commit 469566454e
4 changed files with 277 additions and 0 deletions
Show Stats Download Patch File Download Diff File

1
.gitignore vendored
Unescape View File

@ -0,0 +1 @@
SOURCES/redcarpet-3.3.2.gem

1
.rubygem-redcarpet.metadata
Unescape View File

@ -0,0 +1 @@
9cbcde68bec1a3a6d87eef96a86aaca8f90c5a5e SOURCES/redcarpet-3.3.2.gem

56
SOURCES/redcarpet-3.3.2-CVE-2020-26298.patch
Unescape View File

@ -0,0 +1,56 @@
From a699c82292b17c8e6a62e1914d5eccc252272793 Mon Sep 17 00:00:00 2001
From: Robin Dupret <robin.dupret@hey.com>
Date: Tue, 15 Dec 2020 20:57:32 +0100
Subject: [PATCH] Fix a security issue using `:quote` with `:escape_html`
Reported by @johan-smits.
---
CHANGELOG.md | 7 +++++++
ext/redcarpet/html.c | 9 ++++++++-
lib/redcarpet.rb | 2 +-
redcarpet.gemspec | 4 ++--
test/markdown_test.rb | 10 ++++++++++
5 files changed, 28 insertions(+), 4 deletions(-)
diff --git a/ext/redcarpet/html.c b/ext/redcarpet/html.c
index 805ddd8e..785f780f 100644
--- a/ext/redcarpet/html.c
+++ b/ext/redcarpet/html.c
@@ -255,8 +255,15 @@ rndr_quote(struct buf *ob, const struct buf *text, void *opaque)
if (!text || !text->size)
return 0;
+ struct html_renderopt *options = opaque;
+
BUFPUTSL(ob, "<q>");
- bufput(ob, text->data, text->size);
+
+ if (options->flags & HTML_ESCAPE)
+ escape_html(ob, text->data, text->size);
+ else
+ bufput(ob, text->data, text->size);
+
BUFPUTSL(ob, "</q>");
return 1;
diff --git a/test/markdown_test.rb b/test/markdown_test.rb
index 4347be9b..68de1255 100644
--- a/test/markdown_test.rb
+++ b/test/markdown_test.rb
@@ -220,6 +220,16 @@ def test_quote_flag_works
assert output.include? '<q>quote</q>'
end
+ def test_quote_flag_honors_escape_html
+ text = 'We are not "<svg/onload=pwned>"'
+
+ output_enabled = render(text, with: [:quote, :escape_html])
+ output_disabled = render(text, with: [:quote])
+
+ assert_equal "<p>We are not <q>&lt;svg/onload=pwned&gt;</q></p>\n", output_enabled
+ assert_equal "<p>We are not <q><svg/onload=pwned></q></p>\n", output_disabled
+ end
+
def test_that_fenced_flag_works
text = <<fenced
This is a simple test

219
SPECS/rubygem-redcarpet.spec
Unescape View File

@ -0,0 +1,219 @@
%global gem_name redcarpet
Name: rubygem-%{gem_name}
Version: 3.3.2
Release: 26%{?dist}
Summary: A fast, safe and extensible Markdown to (X)HTML parser
# https://github.com/vmg/redcarpet/issues/502
License: MIT and ISC
URL: http://github.com/vmg/redcarpet
Source0: https://rubygems.org/gems/%{gem_name}-%{version}.gem
# https://github.com/advisories/GHSA-q3wr-qw3g-3p4h
# https://github.com/vmg/redcarpet/commit/a699c82292b17c8e6a62e1914d5eccc252272793
# https://nvd.nist.gov/vuln/detail/CVE-2020-26298
# Fix a security issue using :quote with :escape_html
# Fixed in 3.5.1
# A bit modified for 3.3.2
# Note that 14942b4f5ef8dbaeeff8d9212f098391d7c1fbdc does chomp, reverting this
Patch0: %{gem_name}-3.3.2-CVE-2020-26298.patch
BuildRequires: gcc
BuildRequires: ruby(release)
BuildRequires: rubygems-devel
BuildRequires: ruby-devel
BuildRequires: rubygem(test-unit)
%description
A fast, safe and extensible Markdown to (X)HTML parser.
%package doc
Summary: Documentation for %{name}
Requires: %{name} = %{version}-%{release}
BuildArch: noarch
%description doc
Documentation for %{name}.
%prep
%setup -q -n %{gem_name}-%{version}
%patch -P0 -p1
%build
gem build ../%{gem_name}-%{version}.gemspec
%gem_install
# https://github.com/vmg/redcarpet/pull/503
chmod a-x .%{gem_instdir}/ext/redcarpet/html.c
%install
mkdir -p %{buildroot}%{gem_dir}
cp -a ./%{gem_dir}/* %{buildroot}%{gem_dir}/
mkdir -p %{buildroot}%{_bindir}
cp -a ./%{_bindir}/* %{buildroot}%{_bindir}
chmod 755 %{buildroot}%{_bindir}/redcarpet
mkdir -p %{buildroot}%{gem_extdir_mri}
cp -a .%{gem_extdir_mri}/{gem.build_complete,*.so} \
%{buildroot}%{gem_extdir_mri}/
# cleanups
pushd %{buildroot}%{gem_instdir}
# Prevent dangling symlink in -debuginfo.
rm -rf \
Gemfile \
Rakefile \
ext/ \
test/ \
%{gem_name}.gemspec \
%{nil}
popd
rm -f %{buildroot}%{gem_cache}
%check
pushd .%{gem_instdir}
env \
RUBYOPT=-Ilib:$(dirs +1)%{gem_extdir_mri}:test \
ruby -e 'Dir.glob "./test/**/*_test.rb", &method(:require)'
popd
%files
%dir %{gem_instdir}
%license %{gem_instdir}/COPYING
%doc %{gem_instdir}/README.markdown
%{_bindir}/redcarpet
%{gem_instdir}/bin
%{gem_libdir}
%{gem_extdir_mri}
%{gem_spec}
%files doc
%doc %{gem_docdir}
%changelog
* Wed Jan 10 2024 MSVSphere Packaging Team <packager@msvsphere-os.ru> - 3.3.2-26
- Rebuilt for MSVSphere 9.3
* Sun Apr 30 2023 Mamoru TASAKA <mtasaka@fedoraproject.org> - 3.3.2-26
- Bacckport upstream patch for CVE-2020-26298 (bug 1915370)
* Fri Jan 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 3.3.2-25
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
* Wed Jan 04 2023 Mamoru TASAKA <mtasaka@fedoraproject.org> - 3.3.2-24
- Rebuild for https://fedoraproject.org/wiki/Changes/Ruby_3.2
* Sat Jul 23 2022 Fedora Release Engineering <releng@fedoraproject.org> - 3.3.2-23
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
* Wed Jan 26 2022 Mamoru TASAKA <mtasaka@fedoraproject.org> - 3.3.2-22
- F-36: rebuild against ruby31
- modernize spec file, especially move %%gem_install to %%build
to fix FTBFS with package_notes
* Fri Jan 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 3.3.2-21
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
* Fri Jul 23 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.3.2-20
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.3.2-19
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Wed Jan 6 2021 Vít Ondruch <vondruch@redhat.com> - 3.3.2-18
- Rebuilt for https://fedoraproject.org/wiki/Changes/Ruby_3.0
* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.3.2-17
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Thu Jan 30 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.3.2-16
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Fri Jan 17 2020 Mamoru TASAKA <mtasaka@fedoraproject.org> - 3.3.2-15
- F-32: rebuild against ruby27
* Fri Jul 26 2019 Fedora Release Engineering <releng@fedoraproject.org> - 3.3.2-14
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Sat Feb 02 2019 Fedora Release Engineering <releng@fedoraproject.org> - 3.3.2-13
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Thu Jan 17 2019 Vít Ondruch <vondruch@redhat.com> - 3.3.2-12
- Rebuilt for https://fedoraproject.org/wiki/Changes/Ruby_2.6
* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 3.3.2-11
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 3.3.2-10
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
* Sat Jan 20 2018 Björn Esser <besser82@fedoraproject.org> - 3.3.2-9
- Rebuilt for switch to libxcrypt
* Thu Jan 04 2018 Mamoru TASAKA <mtasaka@fedoraproject.org> - 3.3.2-8
- F-28: rebuild for ruby25
* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 3.3.2-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 3.3.2-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 3.3.2-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
* Wed Jan 11 2017 Vít Ondruch <vondruch@redhat.com> - 3.3.2-4
- Rebuilt for https://fedoraproject.org/wiki/Changes/Ruby_2.4
* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 3.3.2-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
* Mon Jan 11 2016 Vít Ondruch <vondruch@redhat.com> - 3.3.2-2
- Rebuilt for https://fedoraproject.org/wiki/Changes/Ruby_2.3
* Wed Jul 08 2015 Vít Ondruch <vondruch@redhat.com> - 3.3.2-1
- Update to Redcarpet 3.3.2.
* Thu Jun 18 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.1.1-13
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
* Fri Jan 16 2015 Vít Ondruch <vondruch@redhat.com> - 2.1.1-12
- Rebuilt for https://fedoraproject.org/wiki/Changes/Ruby_2.2
* Mon Aug 18 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.1.1-11
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
* Sun Jun 08 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.1.1-10
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
* Thu Apr 17 2014 Vít Ondruch <vondruch@redhat.com> - 2.1.1-9
- Rebuilt for https://fedoraproject.org/wiki/Changes/Ruby_2.1
* Sun Aug 04 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.1.1-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
* Thu Mar 14 2013 Josef Stribny <jstribny@redhat.com> - 2.1.1-7
- Rebuild for https://fedoraproject.org/wiki/Features/Ruby_2.0.0
* Thu Feb 14 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.1.1-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
* Sat Jul 21 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.1.1-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
* Mon May 21 2012 Matt Hicks <mhicks@redhat.com> - 2.1.1-4
- Removing conditionals
* Mon May 21 2012 Matt Hicks <mhicks@redhat.com> - 2.1.1-3
- Adding newer rdoc build requires to fix rpmdiff issue
* Fri May 18 2012 Matt Hicks <mhicks@redhat.com> - 2.1.1-2
- Cleaning up spec to remove patch and rake testing dependency
* Thu Apr 26 2012 Matt Hicks <mhicks@redhat.com> - 2.1.1-1
- Initial package
Write Preview
Loading…
Cancel
Save