Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 733116 (CVE-2020-14001) - <dev-ruby/kramdown-2.3.0: Possible remote code execution (CVE-2020-14001)
Summary: <dev-ruby/kramdown-2.3.0: Possible remote code execution (CVE-2020-14001)
Status: RESOLVED FIXED
Alias: CVE-2020-14001
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: https://kramdown.gettalong.org/news.html
Whiteboard: ~1 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-07-18 04:06 UTC by John Helmert III
Modified: 2020-09-15 17:10 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-07-18 04:06:51 UTC 
CVE-2020-14001:

The kramdown gem before 2.3.0 for Ruby processes the template option inside Kramdown documents by default, which allows unintended read access (such as template="/etc/passwd") or unintended embedded Ruby code execution (such as a string that begins with template="string://<%= `). NOTE: kramdown is used in Jekyll, GitLab Pages, GitHub Pages, and Thredded Forum.



Patch, included in 2.3.0: https://github.com/gettalong/kramdown/commit/1b8fd33c3120bfc6e5164b449e2c2fc9c9306fde

Maintainer(s), please cleanup vulnerable versions.
Comment 1 Hans de Graaff gentoo-dev Security 2020-07-20 08:29:39 UTC 
Cleanup mostly done, but app-text/webgen depends on kramdown-1.x. I have filed a bug for this package: https://github.com/gettalong/webgen/issues/17
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-08-07 04:21:05 UTC 
Looks like we can cleanup now?
Comment 3 Hans de Graaff gentoo-dev Security 2020-08-07 04:36:15 UTC 
dev-ruby/kramdown:0 has now been masked for removal.
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-08-07 04:38:01 UTC 
(In reply to Hans de Graaff from comment #3)
> dev-ruby/kramdown:0 has now been masked for removal.

Thanks!
Comment 5 Larry the Git Cow gentoo-dev 2020-09-14 17:23:55 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3915b68bbc814b693c39d43ea67b7a670943f71b

commit 3915b68bbc814b693c39d43ea67b7a670943f71b
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2020-09-14 17:18:23 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2020-09-14 17:23:44 +0000

    dev-ruby/kramdown: Remove masked slot :0
    
    Bug: https://bugs.gentoo.org/733116
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-ruby/kramdown/Manifest                  |  1 -
 dev-ruby/kramdown/kramdown-1.17.0-r2.ebuild | 51 -----------------------------
 profiles/package.mask                       |  5 ---
 3 files changed, 57 deletions(-)
Comment 6 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-09-15 17:10:16 UTC 
Tree is clean. All done.