Hello community, here is the log from the commit of package rubygem-RedCloth.3870 for openSUSE:13.1:Update checked in at 2015-07-02 09:08:50 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:13.1:Update/rubygem-RedCloth.3870 (Old) and /work/SRC/openSUSE:13.1:Update/.rubygem-RedCloth.3870.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "rubygem-RedCloth.3870" Changes: -------- New Changes file: --- /dev/null 2015-06-25 09:04:34.320025005 +0200 +++ /work/SRC/openSUSE:13.1:Update/.rubygem-RedCloth.3870.new/rubygem-RedCloth.changes 2015-07-02 09:08:51.000000000 +0200 @@ -0,0 +1,98 @@ +------------------------------------------------------------------- +Mon Jun 15 17:03:25 UTC 2015 - mrueckert@suse.de + +- pulled patches from debian package for boo #912212 CVE-2012-6684 + adds the following patch: + 0001-Filter-out-javascript-links-when-using-filter_html-o.patch + +------------------------------------------------------------------- +Tue Jul 17 09:55:23 UTC 2012 - coolo@suse.com + +- update to 4.2.9 + * Fix RbConfig / Config warning in Ruby 1.9.3. [Steve Purcell, Robert Gleeson, and unclaimedbaggage] + * Use RSTRING_NOT_MODIFIED header for Rubinius [Dirkjan Bussink] + +------------------------------------------------------------------- +Mon Feb 13 10:55:09 UTC 2012 - coolo@suse.com + +- patch license to follow spdx.org standard + +------------------------------------------------------------------- +Sun Sep 18 00:27:41 UTC 2011 - mrueckert@suse.de + +- update to version 4.2.8 + * Do not treat warnings as errors so it compiles cleanly. + [Tomasz Wałkuski] + +------------------------------------------------------------------- +Wed Jul 27 14:02:55 UTC 2011 - fcastelli@novell.com + +- Fix build on SLE + +------------------------------------------------------------------- +Thu Jul 21 12:05:08 UTC 2011 - fcastelli@novell.com + +- update to version 4.2.7 + * Fixed typo in gemspec to make case-sensitive require + work. [Gabe da Silveira] + * Tested installing the gem and requiring it with both cases on + Ubuntu 8.04, 10.10 and OS X Version 10.6.6. + * Have spaces around the en-dash in LaTeX [Benjamin Quorning] + * Turned double-quote close to smart quotes in LaTeX [Jonathan D. Blake] + * Add case-sensitive require back into the gemspec. + * Fix rdoc options in gemspec. + * Fix bundler and rubygems-test incompatibilities. Working around bug: + https://github.com/carlhuda/bundler/issues/issue/1021 + * Add .gemtest to opt-in to rubygems-test program (gem install + rubygems-test to participate) + * Allow attributes to be set on hr and br tags [Jesse Stormier] + * Fix dangling <li> [Stephen Bannasch] + * Switch to bundler and rake-compiler for gem management/compilation + * Fix invalid YAML for Ruby 1.9.2 [Aaron Patterson]- + +------------------------------------------------------------------- +Mon Jun 14 15:59:59 UTC 2010 - mrueckert@suse.de + +- update to version 4.2.3 + * Allow quotes in styles so you can do things like listing + font-families. [Jason Garber] + * Fix uninitialized constant + Gem::Specification::PLATFORM_CROSS_TARGETS in Rails + [Jason Garber] + * Allow uppercase letters in class and ID attributes even though + it's invalid [Jason Garber] + * Fix compatibility with newer Echoe, by using full-name for + Platform [Flameeyes] + * Fixes for PPC/PPC64 [Flameeyes] + * Added a modified copy of 'Textile Reference' to a doc folder + [codesponge] + * Add footnote return links [Jonathan Rudenberg] + * Add bug report link to the README + +------------------------------------------------------------------- +Fri Jun 11 10:00:01 UTC 2010 - mrueckert@suse.de + +- use rubygems_requires macro + +------------------------------------------------------------------- +Mon Aug 31 11:44:21 CEST 2009 - dmacvicar@novell.com + +- update to 4.2.2 + +------------------------------------------------------------------- +Thu Nov 6 15:29:39 CET 2008 - mrueckert@suse.de + +- Fix build: we dont have ruby18 + +------------------------------------------------------------------- +Wed Jun 21 01:19:19 CEST 2006 - mrueckert@suse.de + +- use rubygems_with_buildroot_patch instead of the versioned + buildrequires + +------------------------------------------------------------------- +Mon Jun 19 19:42:28 CEST 2006 - mrueckert@suse.de + +- Initial package version 3.0.4 + + New: ---- 0001-Filter-out-javascript-links-when-using-filter_html-o.patch RedCloth-4.2.9.gem rubygem-RedCloth-rpmlintrc rubygem-RedCloth.changes rubygem-RedCloth.spec ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ rubygem-RedCloth.spec ++++++ # # spec file for package rubygem-RedCloth # # Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # Name: rubygem-RedCloth Version: 4.2.9 Release: 0 %define mod_name RedCloth %define mod_full_name %{mod_name}-%{version} # # BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: fastjar BuildRequires: fdupes BuildRequires: rubygems_with_buildroot_patch %rubygems_requires # Url: http://redcloth.org Source: %{mod_full_name}.gem # # MANUAL Patch0: 0001-Filter-out-javascript-links-when-using-filter_html-o.patch # /MANUAL Summary: Textile parser for Ruby License: BSD-3-Clause Group: Development/Languages/Ruby %description Textile parser for Ruby. %package doc Summary: RDoc documentation for %{mod_name} Group: Development/Languages/Ruby Requires: %{name} = %{version} %description doc Documentation generated at gem installation time. Usually in RDoc and RI formats. %package testsuite Summary: Test suite for %{mod_name} Group: Development/Languages/Ruby Requires: %{name} = %{version} %description testsuite Test::Unit or RSpec files, useful for developers. %prep %gem_unpack %patch0 -p1 %gem_build %build %install %gem_install -f %gem_cleanup %fdupes %{buildroot}/%{_libdir}/ruby/gems/%{rb_ver}/gems/%{mod_name}-%{version}/ %clean %{__rm} -rf %{buildroot} %files %defattr(-,root,root,-) %{_bindir}/redcloth %{_libdir}/ruby/gems/%{rb_ver}/cache/%{mod_full_name}.gem %{_libdir}/ruby/gems/%{rb_ver}/gems/%{mod_full_name}/ %exclude %{_libdir}/ruby/gems/%{rb_ver}/gems/%{mod_full_name}/spec %{_libdir}/ruby/gems/%{rb_ver}/specifications/%{mod_full_name}.gemspec %files doc %defattr(-,root,root,-) %doc %{_libdir}/ruby/gems/%{rb_ver}/doc/%{mod_full_name}/ %files testsuite %defattr(-,root,root,-) %{_libdir}/ruby/gems/%{rb_ver}/gems/%{mod_full_name}/spec %changelog ++++++ 0001-Filter-out-javascript-links-when-using-filter_html-o.patch ++++++

From b3d82f0c3a354a2f589e1fd43f5f1d7e427b530e Mon Sep 17 00:00:00 2001 From: Antonio Terceiro <terceiro@debian.org> Date: Sat, 7 Feb 2015 23:27:39 -0200 Subject: [PATCH] Filter out 'javascript:' links when using filter_html or sanitize_html

This is a fix for CVE-2012-6684 --- lib/redcloth/formatters/html.rb | 6 +++++- spec/security/CVE-2012-6684_spec.rb | 14 ++++++++++++++ 2 files changed, 19 insertions(+), 1 deletion(-) create mode 100644 spec/security/CVE-2012-6684_spec.rb diff --git a/lib/redcloth/formatters/html.rb b/lib/redcloth/formatters/html.rb index bfadfb7..b8793b2 100644 --- a/lib/redcloth/formatters/html.rb +++ b/lib/redcloth/formatters/html.rb @@ -111,7 +111,11 @@ module RedCloth::Formatters::HTML end def link(opts) - "<a href=\"#{escape_attribute opts[:href]}\"#{pba(opts)}>#{opts[:name]}</a>" + if (filter_html || sanitize_html) && opts[:href] =~ /^\s*javascript:/ + opts[:name] + else + "<a href=\"#{escape_attribute opts[:href]}\"#{pba(opts)}>#{opts[:name]}</a>" + end end def image(opts) diff --git a/spec/security/CVE-2012-6684_spec.rb b/spec/security/CVE-2012-6684_spec.rb new file mode 100644 index 0000000..05219fd --- /dev/null +++ b/spec/security/CVE-2012-6684_spec.rb @@ -0,0 +1,14 @@ +# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6684 + +require 'redcloth' + +describe 'CVE-2012-6684' do + + it 'should not let javascript links pass through' do + # PoC from http://co3k.org/blog/redcloth-unfixed-xss-en + output = RedCloth.new('["clickme":javascript:alert(%27XSS%27)]', [:filter_html, :filter_styles, :filter_classes, :filter_ids]).to_html + expect(output).to_not match(/href=.javascript:alert/) + end + + +end -- 2.1.4 ++++++ rubygem-RedCloth-rpmlintrc ++++++ addFilter("devel-file-in-non-devel-package")