Bug 31233 - cherrytree new security issue CVE-2022-35133
Summary: cherrytree new security issue CVE-2022-35133
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2022-12-06 18:09 CET by David Walser
Modified: 2024-03-20 04:36 CET (History)
3 users (show)

See Also:
Source RPM: cherrytree-0.99.42-3.mga9.src.rpm
CVE: CVE-2022-35133
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2022-12-06 18:09:57 CET 
openSUSE has issued an advisory on December 4:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/O3LINIV5NYLJYVZQQS73MPYNTWII3ZH2/

Mageia 8 is also affected.
Comment 1 David Walser 2022-12-06 18:11:17 CET 
The issue is apparently fixed upstream in a newer version.  I don't quite understand their versioning with the +'s sometimes in them, but the newest upstream version should have the fix.

Whiteboard: (none) => MGA8TOO

Comment 2 Lewis Smith 2022-12-06 20:10:26 CET 
A rare package in wally's court, so assigning to you.

Status comment: (none) => newest upstream version should have the fix
Assignee: bugsquad => jani.valimaa

Comment 3 Nicolas Salguero 2024-03-18 15:29:15 CET 
Suggested advisory:
========================

The updated package fixes a security vulnerability:

A cross-site scripting (XSS) vulnerability in CherryTree v0.99.30 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name text field when creating a node. (CVE-2022-35133)

References:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/O3LINIV5NYLJYVZQQS73MPYNTWII3ZH2/
========================

Updated package in core/updates_testing:
========================
cherrytree-1.0.4-1.mga9

from SRPM:
cherrytree-1.0.4-1.mga9.src.rpm

Assignee: jani.valimaa => qa-bugs
Whiteboard: MGA8TOO => (none)
Status: NEW => ASSIGNED
Version: Cauldron => 9
Status comment: newest upstream version should have the fix => (none)
CVE: (none) => CVE-2022-35133
CC: (none) => nicolas.salguero

katnatek 2024-03-18 19:26:02 CET

Keywords: (none) => advisory

Comment 4 Thomas Andrews 2024-03-19 19:40:05 CET 
MGA9-64 Plasma, i5-7500, nvidia Quadro K620 graphics.

Installed cherrytree and dependencies, ran it just long enough to see the GUI come up, then got the update with no installation issues.

No previous updates, and I'm completely unfamiliar with this application, so I sought guidance on the Web, finding a couple of introductory videos on Youtube. Armed with this vas new knowledge, I opened Cherrytree and played around, creating a node and subnodes, customizing them with different colors, adding a note or two, saving it in xml format, loading it back again(I did have to tell Plasma it was a tool for using xml files), exporting to pdf, and printing a copy.

Everything worked, with no issues. This looks good to go. Validating.

Keywords: (none) => validated_update
Whiteboard: (none) => MGA9-64-OK
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 5 Mageia Robot 2024-03-20 04:36:34 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0074.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.