Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 765013 (CVE-2020-26298) - <dev-ruby/redcarpet-3.5.1: XSS vulnerability (CVE-2020-26298)
Summary: <dev-ruby/redcarpet-3.5.1: XSS vulnerability (CVE-2020-26298)
Status: RESOLVED FIXED
Alias: CVE-2020-26298
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://github.com/advisories/GHSA-q3...
Whiteboard: B4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-01-11 22:02 UTC by Sam James
Modified: 2021-01-28 15:35 UTC (History)
1 user (show)

See Also:
Package list:
dev-ruby/redcarpet-3.5.1 amd64 arm arm64 ppc ppc64 x86
Runtime testing required: ---
nattka: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-11 22:02:57 UTC 
"Redcarpet is a Ruby library for Markdown processing. In Redcarpet before version 3.5.1, there is an injection vulnerability which can enable a cross-site scripting attack. In affected versions no HTML escaping was being performed when processing quotes. This applies even when the `:escape_html` option was being used. This is fixed in version 3.5.1 by the referenced commit."
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-11 22:03:12 UTC 
Let us know when ready to stable, thanks!
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-12 12:05:09 UTC 
ppc64 done
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-18 02:55:24 UTC 
ppc done
Comment 4 Agostino Sarubbo gentoo-dev 2021-01-21 07:41:42 UTC 
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2021-01-24 12:11:25 UTC 
x86 stable
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-24 21:51:37 UTC 
arm done
Comment 7 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-24 21:52:12 UTC 
arm64 done

all arches done
Comment 8 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-24 21:53:56 UTC 
Please cleanup, thanks!
Comment 9 Hans de Graaff gentoo-dev Security 2021-01-28 05:58:00 UTC 
Cleanup done.
Comment 10 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-01-28 15:35:22 UTC 
(In reply to Hans de Graaff from comment #9)
> Cleanup done.

Thank you!