Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 733116 (CVE-2020-14001) - <dev-ruby/kramdown-2.3.0: Possible remote code execution (CVE-2020-14001)
Summary: <dev-ruby/kramdown-2.3.0: Possible remote code execution (CVE-2020-14001)
Status: RESOLVED FIXED
Alias: CVE-2020-14001
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: https://kramdown.gettalong.org/news.html
Whiteboard: ~1 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-07-18 04:06 UTC by John Helmert III
Modified: 2020-09-15 17:10 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III gentoo-dev Security 2020-07-18 04:06:51 UTC
CVE-2020-14001:

The kramdown gem before 2.3.0 for Ruby processes the template option inside Kramdown documents by default, which allows unintended read access (such as template="/etc/passwd") or unintended embedded Ruby code execution (such as a string that begins with template="string://<%= `). NOTE: kramdown is used in Jekyll, GitLab Pages, GitHub Pages, and Thredded Forum.



Patch, included in 2.3.0: https://github.com/gettalong/kramdown/commit/1b8fd33c3120bfc6e5164b449e2c2fc9c9306fde

Maintainer(s), please cleanup vulnerable versions.
Comment 1 Hans de Graaff gentoo-dev 2020-07-20 08:29:39 UTC
Cleanup mostly done, but app-text/webgen depends on kramdown-1.x. I have filed a bug for this package: https://github.com/gettalong/webgen/issues/17
Comment 2 John Helmert III gentoo-dev Security 2020-08-07 04:21:05 UTC
Looks like we can cleanup now?
Comment 3 Hans de Graaff gentoo-dev 2020-08-07 04:36:15 UTC
dev-ruby/kramdown:0 has now been masked for removal.
Comment 4 John Helmert III gentoo-dev Security 2020-08-07 04:38:01 UTC
(In reply to Hans de Graaff from comment #3)
> dev-ruby/kramdown:0 has now been masked for removal.

Thanks!
Comment 5 Larry the Git Cow gentoo-dev 2020-09-14 17:23:55 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3915b68bbc814b693c39d43ea67b7a670943f71b

commit 3915b68bbc814b693c39d43ea67b7a670943f71b
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2020-09-14 17:18:23 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2020-09-14 17:23:44 +0000

    dev-ruby/kramdown: Remove masked slot :0
    
    Bug: https://bugs.gentoo.org/733116
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-ruby/kramdown/Manifest                  |  1 -
 dev-ruby/kramdown/kramdown-1.17.0-r2.ebuild | 51 -----------------------------
 profiles/package.mask                       |  5 ---
 3 files changed, 57 deletions(-)
Comment 6 John Helmert III gentoo-dev Security 2020-09-15 17:10:16 UTC
Tree is clean. All done.