Debian Bug report logs -
#1067805
node-katex: CVE-2024-28243 CVE-2024-28244 CVE-2024-28245 CVE-2024-28246
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Tue, 26 Mar 2024 22:27:01 UTC
Severity: important
Tags: security, upstream
Found in version node-katex/0.16.4+~cs6.1.0-1
Fixed in version node-katex/0.16.10+~cs6.1.0-1
Done: Yadd <yadd@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>:
Bug#1067805; Package src:node-katex.
(Tue, 26 Mar 2024 22:27:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>.
(Tue, 26 Mar 2024 22:27:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: node-katex
Version: 0.16.4+~cs6.1.0-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Hi,
The following vulnerabilities were published for node-katex.
CVE-2024-28243[0]:
| KaTeX is a JavaScript library for TeX math rendering on the web.
| KaTeX users who render untrusted mathematical expressions could
| encounter malicious input using `\edef` that causes a near-infinite
| loop, despite setting `maxExpand` to avoid such loops. This can be
| used as an availability attack, where e.g. a client rendering
| another user's KaTeX input will be unable to use the site due to
| memory overflow, tying up the main thread, or stack overflow.
| Upgrade to KaTeX v0.16.10 to remove this vulnerability.
CVE-2024-28244[1]:
| KaTeX is a JavaScript library for TeX math rendering on the web.
| KaTeX users who render untrusted mathematical expressions could
| encounter malicious input using `\def` or `\newcommand` that causes
| a near-infinite loop, despite setting `maxExpand` to avoid such
| loops. KaTeX supports an option named maxExpand which aims to
| prevent infinitely recursive macros from consuming all available
| memory and/or triggering a stack overflow error. Unfortunately,
| support for "Unicode (sub|super)script characters" allows an
| attacker to bypass this limit. Each sub/superscript group
| instantiated a separate Parser with its own limit on macro
| executions, without inheriting the current count of macro executions
| from its parent. This has been corrected in KaTeX v0.16.10.
CVE-2024-28245[2]:
| KaTeX is a JavaScript library for TeX math rendering on the web.
| KaTeX users who render untrusted mathematical expressions could
| encounter malicious input using `\includegraphics` that runs
| arbitrary JavaScript, or generate invalid HTML. Upgrade to KaTeX
| v0.16.10 to remove this vulnerability.
CVE-2024-28246[3]:
| KaTeX is a JavaScript library for TeX math rendering on the web.
| Code that uses KaTeX's `trust` option, specifically that provides a
| function to blacklist certain URL protocols, can be fooled by URLs
| in malicious inputs that use uppercase characters in the protocol.
| In particular, this can allow for malicious input to generate
| `javascript:` links in the output, even if the `trust` function
| tries to forbid this protocol via `trust: (context) =>
| context.protocol !== 'javascript'`. Upgrade to KaTeX v0.16.10 to
| remove this vulnerability.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-28243
https://www.cve.org/CVERecord?id=CVE-2024-28243
https://github.com/KaTeX/KaTeX/security/advisories/GHSA-64fm-8hw2-v72w
[1] https://security-tracker.debian.org/tracker/CVE-2024-28244
https://www.cve.org/CVERecord?id=CVE-2024-28244
https://github.com/KaTeX/KaTeX/security/advisories/GHSA-cvr6-37gx-v8wc
[2] https://security-tracker.debian.org/tracker/CVE-2024-28245
https://www.cve.org/CVERecord?id=CVE-2024-28245
https://github.com/KaTeX/KaTeX/security/advisories/GHSA-f98w-7cxr-ff2h
[3] https://security-tracker.debian.org/tracker/CVE-2024-28246
https://www.cve.org/CVERecord?id=CVE-2024-28246
https://github.com/KaTeX/KaTeX/security/advisories/GHSA-3wc5-fcw2-2329
Regards,
Salvatore
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>:
Bug#1067805.
(Wed, 27 Mar 2024 03:57:02 GMT) (full text, mbox, link).
Message #8 received at 1067805-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #1067805 in node-katex reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/js-team/node-katex/-/commit/5dce3edecfcfd2850dab21d74aee8d27575f69f1
------------------------------------------------------------------------
New upstream version (Closes: #1067805, CVE-2024-28243, CVE-2024-28244, CVE-2024-28245, CVE-2024-28246)
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/1067805
Added tag(s) pending.
Request was from Yadd <noreply@salsa.debian.org>
to 1067805-submitter@bugs.debian.org.
(Wed, 27 Mar 2024 03:57:02 GMT) (full text, mbox, link).
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>:
Bug#1067805.
(Wed, 27 Mar 2024 03:57:05 GMT) (full text, mbox, link).
Message #13 received at 1067805-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #1067805 in node-katex reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/js-team/node-katex/-/commit/5dce3edecfcfd2850dab21d74aee8d27575f69f1
------------------------------------------------------------------------
New upstream version (Closes: #1067805, CVE-2024-28243, CVE-2024-28244, CVE-2024-28245, CVE-2024-28246)
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/1067805
Reply sent
to Yadd <yadd@debian.org>:
You have taken responsibility.
(Wed, 27 Mar 2024 04:09:05 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Wed, 27 Mar 2024 04:09:05 GMT) (full text, mbox, link).
Message #18 received at 1067805-close@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Source: node-katex
Source-Version: 0.16.10+~cs6.1.0-1
Done: Yadd <yadd@debian.org>
We believe that the bug you reported is fixed in the latest version of
node-katex, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1067805@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Yadd <yadd@debian.org> (supplier of updated node-katex package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 27 Mar 2024 07:18:56 +0400
Source: node-katex
Architecture: source
Version: 0.16.10+~cs6.1.0-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>
Changed-By: Yadd <yadd@debian.org>
Closes: 1067805
Changes:
node-katex (0.16.10+~cs6.1.0-1) unstable; urgency=medium
.
* Team upload
* Update standards version to 4.6.2, no changes needed.
* Drop .yarn from import
* New upstream version (Closes: #1067805, CVE-2024-28243, CVE-2024-28244,
CVE-2024-28245, CVE-2024-28246)
* Refresh patches
* Fix babel-plugin-preval version
Checksums-Sha1:
a21598bf00e514b6e2577ccea7759fb1676fbe6d 3485 node-katex_0.16.10+~cs6.1.0-1.dsc
d94d23ed0c3f11b43ff4b335045971fcf72b465c 20596 node-katex_0.16.10+~cs6.1.0.orig-babel-plugin-preval.tar.xz
fc8631bcd90c78f19f21c23652b9f1ff56007cea 1900 node-katex_0.16.10+~cs6.1.0.orig-babel-plugin-version-inline.tar.xz
5556fd6a794cef4bb21a9537b262d4072f39aca6 12507068 node-katex_0.16.10+~cs6.1.0.orig.tar.xz
2ac03cca3aeda06ba516d90b94cb8b73661dbae9 37168 node-katex_0.16.10+~cs6.1.0-1.debian.tar.xz
Checksums-Sha256:
d60489e99e50abdf7185a2fd255dda746423468997db0c5c7dc8ac295da507b2 3485 node-katex_0.16.10+~cs6.1.0-1.dsc
c513cc8ae13b512154a5e49a72666db9f208653c435d10988598a5ec0cb64c6c 20596 node-katex_0.16.10+~cs6.1.0.orig-babel-plugin-preval.tar.xz
4316bc92abdaa0e055cc1686da853a8e8762fba5925d028d6b51466ec27dad23 1900 node-katex_0.16.10+~cs6.1.0.orig-babel-plugin-version-inline.tar.xz
53f0b0ec87044dc50ce3470ea166dadf84473c75f0fb8a3a01b20ceb69c93888 12507068 node-katex_0.16.10+~cs6.1.0.orig.tar.xz
d87bf350c6630de2d822d33933de90e0b782072ec1bd92883075443768a1078b 37168 node-katex_0.16.10+~cs6.1.0-1.debian.tar.xz
Files:
b3818335898f1dced954d3424e51ad7f 3485 javascript optional node-katex_0.16.10+~cs6.1.0-1.dsc
5ed9ac69c972121ee5b6ef4b2d74bb40 20596 javascript optional node-katex_0.16.10+~cs6.1.0.orig-babel-plugin-preval.tar.xz
2496ed1fcf1d2960e5a498fb823a48f0 1900 javascript optional node-katex_0.16.10+~cs6.1.0.orig-babel-plugin-version-inline.tar.xz
3fb33b6e39b805b49cd5df8c84cbfd6a 12507068 javascript optional node-katex_0.16.10+~cs6.1.0.orig.tar.xz
77cb64c785b364c4d1e40e9388ec4a36 37168 javascript optional node-katex_0.16.10+~cs6.1.0-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmYDlz4ACgkQ9tdMp8mZ
7ukdEw//artJSxud8h4ip1Uy0r3ghI9RTTQiwNVjNolzT5H0mbwplOjxr33Texf3
QWvHCTyZyH0+BaB0cCMHpNWrsUIfeXitTvhSllSO0KIT3Ga0kjw6egzVAvXRua7i
d2i+3L1r9F7sIXW0eqK42P1k9kIzNzB8gZ0dz6NQovr+azjf9BWQFxgK8WRu5zUn
me13mDrQLkzrkcT6aJMZ0viCw08SlMBkF+wbUGu+vAbhR0C97nM7iY/Cl/17+TF1
2cr/MVvuky6If8CRaKUAxPc27G0ZEtCiOt12yr9XHpnpw45YvNVorlkn9urVez0Q
OgwN70M848ZjEl+Gtu3EWNPuZnVCuqrziWCgS2ab0y4EaV142YEZVSFIwauBJuZO
Q9pwhVw3gjsHbKVU4XSfVuyA9avxtjaoIZcD13Q/xGDIdPXUIwPt48ujjcc7LpW6
fJE0tsn7ChdupSoVTe8XBPImDZhKGgoUFx96pOcdbB/5lm3+8Sm1LPjKFKIDvxYw
+xRCCNSZK3Pfl4ZLbiGN2FCjiV8bRmAkKE6tiOqaB5uUfhOg73hhQlsUY25NdlWQ
6o3DzmniMKcYVdh9rAMiJStyHwtYpCHi1+/3Dny9zIy4eHg64dYZtJvhqMSM6Srx
6mAh45VvwB+i+RKtfZ3ju9M/2XbAVz4JGUPEGTYOZvB+bBQKX18=
=rsRy
-----END PGP SIGNATURE-----
[Message part 2 (application/pgp-signature, inline)]
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Mar 27 11:52:45 2024;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon