Anki users can download shared decks that contain study material. These are generally considered safe. -Anki's editor code needs access to private API endpoints, so it can do things like read the contents of an image from disk. -Content authors can embed JavaScript inside individual fields [in shared decks]. When those fields are loaded into the editor, if the JavaScript is preserved, it could use those private endpoints to perform malicious acts. -There is no evidence of this being exploited in the wild as of 2025-04-22. Affected versions: <=25.02 with USE=gui Fixed in: 25.02.4 (I pushed a PR that adds this version.) Links: https://github.com/ankitects/anki/releases/tag/25.02.4 https://github.com/ankitects/anki/issues/3935 Reproducible: Always
Thanks for reporting. I've removed the version number from the title since we use that only for fixed versions in the gentoo repository. We'll update that once your PR is merged.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ca324d3ed46adadd49324b2b751f3ad9f7f265df commit ca324d3ed46adadd49324b2b751f3ad9f7f265df Author: Lucio Sauer <watermanpaint@posteo.net> AuthorDate: 2025-04-27 00:38:03 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2025-04-29 19:43:51 +0000 app-misc/anki: add 25.02.4 Bug: https://bugs.gentoo.org/953565 Bug: https://bugs.gentoo.org/954770 Signed-off-by: Lucio Sauer <watermanpaint@posteo.net> Part-of: https://github.com/gentoo/gentoo/pull/41783 Closes: https://github.com/gentoo/gentoo/pull/41783 Signed-off-by: Sam James <sam@gentoo.org> app-misc/anki/Manifest | 3 + app-misc/anki/anki-25.02.4.ebuild | 312 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 315 insertions(+)
