Bug 32284 - ruby-redcloth new security issue CVE-2023-31606
Summary: ruby-redcloth new security issue CVE-2023-31606
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8TOO MGA8-64-OK MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2023-09-13 14:14 CEST by Nicolas Salguero
Modified: 2023-10-20 10:35 CEST (History)
5 users (show)

See Also:
Source RPM: ruby-RedCloth-4.3.2-7.mga9.src.rpm
CVE: CVE-2023-31606
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2023-09-13 14:14:13 CEST 
Ubuntu has issued an advisory on September 12:
https://ubuntu.com/security/notices/USN-6358-1
Nicolas Salguero 2023-09-13 14:14:30 CEST

Whiteboard: (none) => MGA9TOO, MGA8TOO
CC: (none) => nicolas.salguero
Source RPM: (none) => ruby-RedCloth-4.3.2-7.mga9.src.rpm

Comment 1 Lewis Smith 2023-09-13 20:14:19 CEST 
Once again the advisory indicates the fix in a version we already seem to have. Perhaps I am seeing something wrong..

This one is for Pascal.

Status comment: (none) => Fixed 4.3.2-4 ?
Assignee: bugsquad => pterjan

Comment 2 Nicolas Salguero 2023-09-14 14:26:15 CEST 
Hi,

The release number from Ubuntu is totally different from the one from Mageia so 4.3.2-4 in Ubuntu package does not mean 4.3.2-7.mga9 is newer or contains the patch for the CVE.

Best regards,

Nico.

Status comment: Fixed 4.3.2-4 ? => (none)

Comment 3 Nicolas Salguero 2023-10-11 10:50:49 CEST 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

A Regular Expression Denial of Service (ReDoS) issue was discovered in the sanitize_html function of redcloth gem v4.0.0. This vulnerability allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload. (CVE-2023-31606)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-31606
https://ubuntu.com/security/notices/USN-6358-1
========================

Updated packages in 9/core/updates_testing:
========================
ruby-RedCloth-4.3.2-7.1.mga9
ruby-RedCloth-doc-4.3.2-7.1.mga9

from SRPM:
ruby-RedCloth-4.3.2-7.1.mga9.src.rpm

Updated packages in 8/core/updates_testing:
========================
ruby-RedCloth-4.3.2-5.1.mga8
ruby-RedCloth-doc-4.3.2-5.1.mga8

from SRPM:
ruby-RedCloth-4.3.2-5.1.mga8.src.rpm

Version: Cauldron => 9
Whiteboard: MGA9TOO, MGA8TOO => MGA8TOO
Assignee: pterjan => qa-bugs
Status: NEW => ASSIGNED
CVE: (none) => CVE-2023-31606

Comment 4 Marja Van Waes 2023-10-12 11:18:22 CEST 
Advisory from comment 3 uploaded, please remove the "advisory" keyword if it needs to be changed

CC: (none) => marja11
Keywords: (none) => advisory

Comment 5 Herman Viaene 2023-10-13 16:24:17 CEST 
MGA9-64 Xfce on Acer Aspire 5253
No installation issues
No previous update, urmpq return nothing but itself, and reading the doc, this is a parser for use in the ruby language, developerrs stuff.
So OK on clean install.

CC: (none) => herman.viaene
Whiteboard: MGA8TOO => MGA8TOO MGA9-64-OK

Comment 6 Thomas Andrews 2023-10-19 23:12:44 CEST 
MGA8-64 Plasma in Virtualbox

No installation issues, so following Herman's lead and sending it on.

Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs
Whiteboard: MGA8TOO MGA9-64-OK => MGA8TOO MGA8-64-OK MGA9-64-OK

Comment 7 Mageia Robot 2023-10-20 10:35:56 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0291.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.