908035 – (CVE-2023-31606) <dev-ruby/redcloth-4.3.2-r5: ReDoS in html sanitization

Bug 908035 (CVE-2023-31606) - <dev-ruby/redcloth-4.3.2-r5: ReDoS in html sanitization

Summary: <dev-ruby/redcloth-4.3.2-r5: ReDoS in html sanitization

Status:	RESOLVED FIXED

Alias:	CVE-2023-31606

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	https://github.com/jgarber/redcloth/i...
Whiteboard:	B3 [glsa+]
Keywords:	PATCH

Depends on:	914594
Blocks:
	Show dependency tree

Reported:	2023-06-08 04:14 UTC by John Helmert III
Modified:	2024-01-10 13:11 UTC (History)
CC List:	1 user (show)

See Also:	https://github.com/jgarber/redcloth/pull/75
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2023-06-08 04:14:56 UTC

CVE-2023-31606:

A Regular Expression Denial of Service (ReDoS) issue was discovered in the sanitize_html function of redcloth gem v4.0.0. This vulnerability allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.

"There is a security vulnerability in this gem. I tried to communicate with the maintainers in an email, but still haven't got a response, I'm raising the issue here."

Comment 1 Hans de Graaff gentoo-dev

2023-07-09 06:01:29 UTC

A patch is now available upstream since a few days. Let's wait a few days to see if a new gem version is released, otherwise we can apply it ourselves.

Comment 2 Hans de Graaff gentoo-dev

2023-07-21 17:52:07 UTC

Looks like the maintainer is no longer active and I don't expect a new release. I've pulled in the upstream pull request instead.

Comment 3 Larry the Git Cow gentoo-dev

2023-07-21 17:52:18 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bd224377c5ba4404b0650baaa31b54d7bbf924b7

commit bd224377c5ba4404b0650baaa31b54d7bbf924b7
Author:     Hans de Graaff <graaff@gentoo.org>
AuthorDate: 2023-07-21 17:50:47 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2023-07-21 17:50:47 +0000

    dev-ruby/redcloth: fix CVE-2023-31606
    
    Bug: https://bugs.gentoo.org/908035
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 .../files/redcloth-4.3.2-cve-2023-31606-1.patch    | 22 +++++++++
 .../files/redcloth-4.3.2-cve-2023-31606-2.patch    | 22 +++++++++
 dev-ruby/redcloth/redcloth-4.3.2-r5.ebuild         | 57 ++++++++++++++++++++++
 3 files changed, 101 insertions(+)

Comment 4 John Helmert III archtester

2023-08-02 05:39:57 UTC

Thanks! Please stabilize when ready.

Comment 5 Larry the Git Cow gentoo-dev

2024-01-10 13:11:04 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=7333f37d680f5c423bfeb1acb9a7bf506e04e09f

commit 7333f37d680f5c423bfeb1acb9a7bf506e04e09f
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-01-10 13:10:26 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-01-10 13:10:53 +0000

    [ GLSA 202401-14 ] RedCloth: ReDoS Vulnerability
    
    Bug: https://bugs.gentoo.org/908035
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202401-14.xml | 42 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)