The version of freeplane is (probably) vulnerable to two bugs as stated on the freeplane website. Groovy scripts and formulas can escape sandbox, fixed in versions 1.5.20 and 1.6.1_17 XML External Entity vulnerability in map parser, fixed in versions 1.5.20 and 1.6.1_17 ref: https://www.freeplane.org/wiki/index.php/Fixed_security_vulnerabilities Reproducible: Always Steps to Reproduce: Here are the links to the vulnerabilities: 1. https://www.freeplane.org/wiki/index.php/XML_External_Entity_vulnerability_in_map_parser 2. https://www.freeplane.org/wiki/index.php/Groovy_scripts_and_formulas_can_escape_sandbox
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=91128b1d969038e07aa1de5c3bd505d141e2a5f0 commit 91128b1d969038e07aa1de5c3bd505d141e2a5f0 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2019-03-23 18:24:56 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2019-03-23 18:24:56 +0000 package.mask: Last rite app-misc/freeplane Bug: https://bugs.gentoo.org/670028 Signed-off-by: Michał Górny <mgorny@gentoo.org> profiles/package.mask | 5 +++++ 1 file changed, 5 insertions(+)
Package has been masked, scheduled for removal.
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e03c0e8c36e61b9b3d2493f1b3ff1f52b375a3f1 commit e03c0e8c36e61b9b3d2493f1b3ff1f52b375a3f1 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2019-04-22 07:31:50 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2019-04-22 07:31:50 +0000 app-misc/freeplane: Remove last-rited pkg Closes: https://bugs.gentoo.org/670028 Signed-off-by: Michał Górny <mgorny@gentoo.org> app-misc/freeplane/Manifest | 2 -- app-misc/freeplane/freeplane-1.5.18.ebuild | 49 ------------------------------ app-misc/freeplane/metadata.xml | 11 ------- profiles/package.mask | 5 --- 4 files changed, 67 deletions(-)
