Bug#1040488: marked as done (CVE-2023-31606: REDOS)

Sat, 13 Jan 2024 09:51:15 -0800 

Your message dated Sat, 13 Jan 2024 12:47:10 -0500
with message-id 
<CAD+GYvz6juT8G2QiXYJ0yyji+Mfy6uu8x2L3AajMX4Yr=s3...@mail.gmail.com>
and subject line Re: CVE-2023-31606: REDOS
has caused the Debian Bug report #1040488,
regarding CVE-2023-31606: REDOS
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1040488: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1040488
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Source: ruby-redcloth
Severity: important
Tags: patch

Dear Maintainer,

Find the following patch in order to fix a REDOS


Thanks

Bastien
From: Kornelius Kalnbach <[email protected]>
Date: Wed, 28 Jun 2023 17:24:55 +0200
Subject: CVE-2023-31606 make regex faster with Atomic Grouping
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

origin: https://patch-diff.githubusercontent.com/raw/jgarber/redcloth/pull/75
bug-debian-security: https://security-tracker.debian.org/tracker/CVE-2023-31606
Signed-off-by: Bastien Roucari??s <[email protected]>
---
 lib/redcloth/formatters/html.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/redcloth/formatters/html.rb b/lib/redcloth/formatters/html.rb
index b241c99..396c2d0 100644
--- a/lib/redcloth/formatters/html.rb
+++ b/lib/redcloth/formatters/html.rb
@@ -324,7 +324,7 @@ private
   # Clean unauthorized tags.
   def clean_html( text, allowed_tags = BASIC_TAGS )
     text.gsub!( /<!\[CDATA\[/, '' )
-    text.gsub!( /<(\/*)([A-Za-z]\w*)([^>]*?)(\s?\/?)>/ ) do |m|
+    text.gsub!( /<(\/*)([A-Za-z]\w*+)([^>]*?)(\s?\/?)>/ ) do |m|
       raw = $~
       tag = raw[2].downcase
       if allowed_tags.has_key? tag

Attachment: signature.asc
Description: This is a digitally signed message part.


--- End Message ---
--- Begin Message --- 
Version: 4.3.3-1

This issue appears to be fixed in the new upstream release.

Thank you,
Jeremy BĂ­cha

--- End Message ---

Reply via email to