Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 777252 (CVE-2021-28834)

Summary: <dev-ruby/kramdown-2.3.1: incorrect class instantiation restriction (CVE-2021-28834)
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: ruby
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: ~4 [noglsa]
Package list:
Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-03-19 12:54:35 UTC 
CVE-2021-28834:

Kramdown before 2.3.1 does not restrict Rouge formatters to the Rouge::Formatters namespace, and thus arbitrary classes can be instantiated.

Patch: https://github.com/gettalong/kramdown/pull/708/commits/d6a1cbcb2caa2f8a70927f176070d126b2422760
Comment 1 Hans de Graaff gentoo-dev Security 2021-03-20 07:32:56 UTC 
kramdown-2.3.1 has been added.
Comment 2 Hans de Graaff gentoo-dev Security 2021-03-20 07:33:36 UTC 
Cleanup done.
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-03-20 14:27:36 UTC 
All done, thanks!