Hello community, here is the log from the commit of package rubygem-RedCloth for openSUSE:Factory checked in at 2015-08-27 08:57:48 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/rubygem-RedCloth (Old) and /work/SRC/openSUSE:Factory/.rubygem-RedCloth.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rubygem-RedCloth" Changes: -------- --- /work/SRC/openSUSE:Factory/rubygem-RedCloth/rubygem-RedCloth.changes 2014-10-14 07:12:26.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.rubygem-RedCloth.new/rubygem-RedCloth.changes 2015-08-27 08:57:52.000000000 +0200 @@ -1,0 +2,7 @@ +Mon Jun 15 17:23:23 UTC 2015 - [email protected] + +- pulled patches from debian package for boo#912212 CVE-2012-6684 + adds the following patch: + 0001-Filter-out-javascript-links-when-using-filter_html-o.patch + +------------------------------------------------------------------- New: ---- 0001-Filter-out-javascript-links-when-using-filter_html-o.patch series ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ rubygem-RedCloth.spec ++++++ --- /var/tmp/diff_new_pack.ba3Y9y/_old 2015-08-27 08:57:52.000000000 +0200 +++ /var/tmp/diff_new_pack.ba3Y9y/_new 2015-08-27 08:57:52.000000000 +0200 @@ -1,7 +1,7 @@ # # spec file for package rubygem-RedCloth # -# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -16,23 +16,34 @@ # +# +# This file was generated with a gem2rpm.yml and not just plain gem2rpm. +# All sections marked as MANUAL, license headers, summaries and descriptions +# can be maintained in that file. Please consult this file before editing any +# of those fields +# + Name: rubygem-RedCloth Version: 4.2.9 Release: 0 %define mod_name RedCloth %define mod_full_name %{mod_name}-%{version} BuildRoot: %{_tmppath}/%{name}-%{version}-build +BuildRequires: ruby-macros >= 5 BuildRequires: %{rubydevel} BuildRequires: %{rubygem gem2rpm} BuildRequires: %{rubygem rdoc > 3.10} -BuildRequires: ruby-macros >= 5 BuildRequires: update-alternatives Url: http://redcloth.org Source: http://rubygems.org/gems/%{mod_full_name}.gem Source1: rubygem-RedCloth-rpmlintrc -Source2: gem2rpm.yml +Source2: series +Source3: gem2rpm.yml +# MANUAL +Patch0: 0001-Filter-out-javascript-links-when-using-filter_html-o.patch +# /MANUAL Summary: Textile parser for Ruby -License: BSD-3-Clause +License: MIT Group: Development/Languages/Ruby PreReq: update-alternatives @@ -40,6 +51,9 @@ Textile parser for Ruby. %prep +%gem_unpack +%patch0 -p1 +%gem_build %build ++++++ 0001-Filter-out-javascript-links-when-using-filter_html-o.patch ++++++ >From b3d82f0c3a354a2f589e1fd43f5f1d7e427b530e Mon Sep 17 00:00:00 2001 From: Antonio Terceiro <[email protected]> Date: Sat, 7 Feb 2015 23:27:39 -0200 Subject: [PATCH] Filter out 'javascript:' links when using filter_html or sanitize_html This is a fix for CVE-2012-6684 --- lib/redcloth/formatters/html.rb | 6 +++++- spec/security/CVE-2012-6684_spec.rb | 14 ++++++++++++++ 2 files changed, 19 insertions(+), 1 deletion(-) create mode 100644 spec/security/CVE-2012-6684_spec.rb diff --git a/lib/redcloth/formatters/html.rb b/lib/redcloth/formatters/html.rb index bfadfb7..b8793b2 100644 --- a/lib/redcloth/formatters/html.rb +++ b/lib/redcloth/formatters/html.rb @@ -111,7 +111,11 @@ module RedCloth::Formatters::HTML end def link(opts) - "<a href=\"#{escape_attribute opts[:href]}\"#{pba(opts)}>#{opts[:name]}</a>" + if (filter_html || sanitize_html) && opts[:href] =~ /^\s*javascript:/ + opts[:name] + else + "<a href=\"#{escape_attribute opts[:href]}\"#{pba(opts)}>#{opts[:name]}</a>" + end end def image(opts) diff --git a/spec/security/CVE-2012-6684_spec.rb b/spec/security/CVE-2012-6684_spec.rb new file mode 100644 index 0000000..05219fd --- /dev/null +++ b/spec/security/CVE-2012-6684_spec.rb @@ -0,0 +1,14 @@ +# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6684 + +require 'redcloth' + +describe 'CVE-2012-6684' do + + it 'should not let javascript links pass through' do + # PoC from http://co3k.org/blog/redcloth-unfixed-xss-en + output = RedCloth.new('["clickme":javascript:alert(%27XSS%27)]', [:filter_html, :filter_styles, :filter_classes, :filter_ids]).to_html + expect(output).to_not match(/href=.javascript:alert/) + end + + +end -- 2.1.4 ++++++ gem2rpm.yml ++++++ --- /var/tmp/diff_new_pack.ba3Y9y/_old 2015-08-27 08:57:52.000000000 +0200 +++ /var/tmp/diff_new_pack.ba3Y9y/_new 2015-08-27 08:57:52.000000000 +0200 @@ -1,7 +1,7 @@ # --- # ## used by gem2rpm -:summary: Textile parser for Ruby -# ## used by gem2rpm +# :summary: this is a custom summary +# ## used by gem2rpm # :description: |- # this is a custom description # @@ -23,8 +23,7 @@ # foo.patch: -p1 # bar.patch: # ## used by gem2rpm -:sources: - - rubygem-RedCloth-rpmlintrc +# :sources: # - foo.desktop # - bar.desktop # :gem_install_args: '....' @@ -69,3 +68,11 @@ # :post: |- # /bin/echo foo # +--- +:summary: Textile parser for Ruby +:license: MIT +:patches: + 0001-Filter-out-javascript-links-when-using-filter_html-o.patch: -p1 +:sources: +- rubygem-RedCloth-rpmlintrc +- series ++++++ series ++++++ 0001-Filter-out-javascript-links-when-using-filter_html-o.patch
