openSUSE Security Update: Security update for cherrytree ______________________________________________________________________________ Announcement ID: openSUSE-SU-2022:10230-1 Rating: moderate References: #1202513 Cross-References: CVE-2022-35133 CVSS scores: CVE-2022-35133 (NVD) : 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Affected Products: openSUSE Backports SLE-15-SP4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: cherrytree was updated to version 0.99.49+3: * Legacy_canonicalize_filename: manage empty filename, (gh#giuspen/cherrytree#2118) * added command line option '--anchor AnchorName' that in addition to existing '--node NodeName' allows to open a document focusing an anchor in a node. * Changed non configurable keyboard shortcuts for codebox width and table column width to use parenthesis open instead of backslash, (gh#giuspen/cherrytree#2113). * Fixed crash on double exit from systray icon right click menu, (gh#giuspen/cherrytree#2114). * Added keyboard shortcuts to toolbar tooltips, (gh#giuspen/cherrytree#2106). * Fixed export to HTML crash, (gh#giuspen/cherrytree#2109). * Force turning off portal usage since it does not work on all distros, (gh#giuspen/cherrytree#2111). * Improved dialog confirmation before executing the code. * Additonal changes for core22, (gh#giuspen/cherrytree#2110). * Allow to disable the dialog asking for confirmation before executing the code. * Fixed bulleted list unindent (Shift+Tab) crash, (gh#giuspen/cherrytree#2103). * Add home plug, (gh#giuspen/cherrytree#2101 and gh#giuspen/cherrytree#2102). * Linux menu launcher run cherrytree in a new instance, (gh#giuspen/cherrytree#2077). * Fixed crash on print/export as pdf of a sequence of characters without spaces longer that the page width, such as a very long URL, (gh#giuspen/cherrytree#2045). * Fixed wrongly entering column mode when using keyboard shortcuts with <Ctrl><Alt> such as insert codebox, (gh#giuspen/cherrytree#2075). * Added syntax highlighting support for GDScript. * Fixed tooltip and cursor not reset after hovering link and then navigating to non rich text node. * Support for accent insensitive search - added letters with subordinate dots, (gh#giuspen/cherrytree#1981). * Translation updates. - Developer advised fixed cross-site scripting (XSS) vulnerability that allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name text field when creating a node, (boo#1202513, gh#giuspen/cherrytree#2099 and CVE-2022-35133). Update to version 0.99.48: * Added support for right to left languages in export to html and pdf (gh#giuspen/cherrytree#2044, gh#giuspen/cherrytree#1668 and gh#giuspen/cherrytree# #698). * In order to support the right to left languages in export to html, the resulting html text lines are no longer LINE<br/> but <p>LINE</p>. * Fixed in export to pdf the link to node+anchor with non ascii anchor name. * Improved detection of missing executables required for rendering LatexBoxes. These dependencies are no longer mandatory (gh#giuspen/cherrytree#2033). * Added help to the user to show again a hidden menubar (gh#giuspen/cherrytree#1927 and gh#giuspen/cherrytree#2054). * Pressing Tab on the very latest table cell now adds a new table line and moves to its first cell. * Fixed issue with relative links to files and folders and documents moved between linux and windows. * In export to html and txt multiple files, now appending the node id to the file names to support multiple nodes with the same name. * Added syntax highlight support for solidity (gh#giuspen/cherrytree#2030). * After issues with the domain giuspen.com, the domain changed to giuspen.net and giuspen.com will eventually go. Update to version 0.99.47+2: * Added support for latex math equations. * Added copy/paste of tree nodes and subnodes between multiple opened files. * Restored support for drag and drop of text selection. Now rich text content is preserved. * Added syntax highlighting for HCL. * Fixed issue at reset toolbar in preferences dialog when menubar in titlebar. * Added command line option (-S/--secondary_session) to run in isolation from a possibly already running main instance. * Updated flatpak script. Update to version 0.99.46+6: * Fixed time created/modified filter on searches for node name and tags. * Changed default keyboard shortcuts using Ctrl+Period to Ctrl+Backslash for clash with latest linux desktops. * Fixed restore window position on Windows and dual screen. * Added strip trailing spaces action to rich text right click menu. * Fixed issue restoring hpaned tree/text position with tree on the right. * Added command line option to pass the password to open an encrypted document. Update to version 0.99.45+10: * added language Arabic * fixed time created/modified filter on searches for node name and tags * just ninja build debug print * added strip trailing spaces action to rich text right click menu * minor improvement to previous commit * fixed copy fromm codebox and pasting to rich text unwanted additional characters Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Backports SLE-15-SP4: zypper in -t patch openSUSE-2022-10230=1 Package List: - openSUSE Backports SLE-15-SP4 (aarch64 s390x x86_64): cherrytree-0.99.49+3-bp154.2.3.2 - openSUSE Backports SLE-15-SP4 (noarch): cherrytree-lang-0.99.49+3-bp154.2.3.2 References: https://www.suse.com/security/cve/CVE-2022-35133.html https://bugzilla.suse.com/1202513