Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 916900 (CVE-2023-47258, CVE-2023-47259, CVE-2023-47260) - <www-apps/redmine-5.0.6: multiple XSS vulnerabilities
Summary: <www-apps/redmine-5.0.6: multiple XSS vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2023-47258, CVE-2023-47259, CVE-2023-47260
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial
Assignee: Gentoo Security
URL: https://www.redmine.org/projects/redm...
Whiteboard: ~4 [noglsa]
Keywords: PullRequest
Depends on:
Blocks:
 
Reported: 2023-11-05 17:10 UTC by John Helmert III
Modified: 2024-02-10 05:48 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-11-05 17:10:48 UTC 
CVE-2023-47258:

Redmine before 4.2.11 and 5.0.x before 5.0.6 allows XSS in a Markdown formatter.

CVE-2023-47260:

Redmine before 4.2.11 and 5.0.x before 5.0.6 allows XSS via thumbnails.

CVE-2023-47259:

Redmine before 4.2.11 and 5.0.x before 5.0.6 allows XSS in the Textile formatter.
Comment 1 Hank Leininger 2023-11-28 04:20:53 UTC 
FWIW I encountered a minor issue trying to use this ebuild: it permits deckar01-task_list-2.3.3, but the Gemfile for 5.0.6 requires 2.3.2. Upstream has not moved to 2.3.3 in any branch that I can find.

I didn't want to fight through surprise issues so I just set =2.3.2 in the ebuild. That required forgoing claiming ruby32 compat because the deckar01-task_list-2.3.2 in ::gentoo has USE_RUBY only up through ruby31.

I don't actually see anything in https://gitlab.com/deckar01/task_list that makes me think 2.3.2 won't work w/ruby 3.2, but I didn't look very closely.
Comment 2 Hank Leininger 2023-11-28 04:21:49 UTC 
...Bah, I probably should have commented on https://github.com/gentoo/gentoo/pull/33748 instead of here.
Comment 3 Hans de Graaff gentoo-dev Security 2023-12-02 08:31:28 UTC 
(In reply to Hank Leininger from comment #1)

> I didn't want to fight through surprise issues so I just set =2.3.2 in the
> ebuild. That required forgoing claiming ruby32 compat because the
> deckar01-task_list-2.3.2 in ::gentoo has USE_RUBY only up through ruby31.

From a maintenance point of view we prefer to avoid dependencies on specific versions in general, but to facilitate this security issue I've also added ruby32 to the old deckar01-task_list ebuild.
Comment 4 Larry the Git Cow gentoo-dev 2024-01-07 00:20:21 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ec28e1443716cb1a614eef933d6e495b73dce88b

commit ec28e1443716cb1a614eef933d6e495b73dce88b
Author:     Azamat H. Hackimov <azamat.hackimov@gmail.com>
AuthorDate: 2023-11-09 22:29:33 +0000
Commit:     Conrad Kostecki <conikost@gentoo.org>
CommitDate: 2024-01-07 00:19:37 +0000

    www-apps/redmine: add 5.0.6
    
    Add ruby 3.2 support, EAPI 8.
    Bug: https://bugs.gentoo.org/916900
    Signed-off-by: Azamat H. Hackimov <azamat.hackimov@gmail.com>
    Signed-off-by: Conrad Kostecki <conikost@gentoo.org>

 www-apps/redmine/Manifest             |   1 +
 www-apps/redmine/redmine-5.0.6.ebuild | 255 ++++++++++++++++++++++++++++++++++
 2 files changed, 256 insertions(+)
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2024-02-10 05:48:08 UTC 
Thanks!