CVE-2023-31606: A Regular Expression Denial of Service (ReDoS) issue was discovered in the sanitize_html function of redcloth gem v4.0.0. This vulnerability allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload. "There is a security vulnerability in this gem. I tried to communicate with the maintainers in an email, but still haven't got a response, I'm raising the issue here."
A patch is now available upstream since a few days. Let's wait a few days to see if a new gem version is released, otherwise we can apply it ourselves.
Looks like the maintainer is no longer active and I don't expect a new release. I've pulled in the upstream pull request instead.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bd224377c5ba4404b0650baaa31b54d7bbf924b7 commit bd224377c5ba4404b0650baaa31b54d7bbf924b7 Author: Hans de Graaff <graaff@gentoo.org> AuthorDate: 2023-07-21 17:50:47 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2023-07-21 17:50:47 +0000 dev-ruby/redcloth: fix CVE-2023-31606 Bug: https://bugs.gentoo.org/908035 Signed-off-by: Hans de Graaff <graaff@gentoo.org> .../files/redcloth-4.3.2-cve-2023-31606-1.patch | 22 +++++++++ .../files/redcloth-4.3.2-cve-2023-31606-2.patch | 22 +++++++++ dev-ruby/redcloth/redcloth-4.3.2-r5.ebuild | 57 ++++++++++++++++++++++ 3 files changed, 101 insertions(+)
Thanks! Please stabilize when ready.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=7333f37d680f5c423bfeb1acb9a7bf506e04e09f commit 7333f37d680f5c423bfeb1acb9a7bf506e04e09f Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-01-10 13:10:26 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-01-10 13:10:53 +0000 [ GLSA 202401-14 ] RedCloth: ReDoS Vulnerability Bug: https://bugs.gentoo.org/908035 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202401-14.xml | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+)