Debian Bug report logs -
#976446
highlight.js: CVE-2020-26237
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>:
Bug#976446; Package src:highlight.js.
(Sat, 05 Dec 2020 10:39:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>.
(Sat, 05 Dec 2020 10:39:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: highlight.js
Version: 9.18.1+dfsg1-2
Severity: important
Tags: security upstream
Forwarded: https://github.com/highlightjs/highlight.js/pull/2636
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Control: found -1 9.12.0+dfsg1-4
Hi,
The following vulnerability was published for highlight.js.
CVE-2020-26237[0]:
| Highlight.js is a syntax highlighter written in JavaScript.
| Highlight.js versions before 9.18.2 and 10.1.2 are vulnerable to
| Prototype Pollution. A malicious HTML code block can be crafted that
| will result in prototype pollution of the base object's prototype
| during highlighting. If you allow users to insert custom HTML code
| blocks into your page/app via parsing Markdown code blocks (or
| similar) and do not filter the language names the user can provide you
| may be vulnerable. The pollution should just be harmless data but this
| can cause problems for applications not expecting these properties to
| exist and can result in strange behavior or application crashes, i.e.
| a potential DOS vector. If your website or application does not render
| user provided data it should be unaffected. Versions 9.18.2 and 10.1.2
| and newer include fixes for this vulnerability. If you are using
| version 7 or 8 you are encouraged to upgrade to a newer release.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-26237
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26237
[1] https://github.com/highlightjs/highlight.js/pull/2636
[2] https://github.com/highlightjs/highlight.js/security/advisories/GHSA-vfrc-7r7c-w9mx
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
-- System Information:
Debian Release: bullseye/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.0-rc6-amd64 (SMP w/8 CPU threads)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Marked as found in versions highlight.js/9.12.0+dfsg1-4.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Sat, 05 Dec 2020 10:39:06 GMT) (full text, mbox, link).
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>:
Bug#976446.
(Sat, 05 Dec 2020 10:57:09 GMT) (full text, mbox, link).
Message #10 received at 976446-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #976446 in highlight.js reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/js-team/highlight.js/-/commit/5ab80b97c94a0e2ea726735a1bbc4367a581230b
------------------------------------------------------------------------
Fix prototype pollution (Closes: #976446 CVE-2020-26237)
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/976446
Added tag(s) pending.
Request was from Xavier Guimard <noreply@salsa.debian.org>
to 976446-submitter@bugs.debian.org.
(Sat, 05 Dec 2020 10:57:09 GMT) (full text, mbox, link).
Reply sent
to Xavier Guimard <yadd@debian.org>:
You have taken responsibility.
(Sat, 05 Dec 2020 11:15:09 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 05 Dec 2020 11:15:10 GMT) (full text, mbox, link).
Message #17 received at 976446-close@bugs.debian.org (full text, mbox, reply):
Source: highlight.js
Source-Version: 9.18.1+dfsg1-3
Done: Xavier Guimard <yadd@debian.org>
We believe that the bug you reported is fixed in the latest version of
highlight.js, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 976446@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Xavier Guimard <yadd@debian.org> (supplier of updated highlight.js package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 05 Dec 2020 11:50:14 +0100
Source: highlight.js
Architecture: source
Version: 9.18.1+dfsg1-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>
Changed-By: Xavier Guimard <yadd@debian.org>
Closes: 976446
Changes:
highlight.js (9.18.1+dfsg1-3) unstable; urgency=medium
.
* Team upload
* Fix prototype pollution (Closes: #976446 CVE-2020-26237)
* Move transitional packages libjs-highlight, node-highlight
to oldlibs/optional per policy 4.0.1.
* Declare compliance with policy 4.5.1
* Change section to javascript
* Add ctype=nodejs to component(s)
Checksums-Sha1:
fe7d576b636cd943623810a22f0ec3bf283fd687 3041 highlight.js_9.18.1+dfsg1-3.dsc
6dc1914d175d9c362a999e6b07ef80da075922ca 199188 highlight.js_9.18.1+dfsg1-3.debian.tar.xz
Checksums-Sha256:
cee2d19f96332ea38e08c921e44c9e3c44fd35f0fe4cf8faf2dfa082f8bd2ba4 3041 highlight.js_9.18.1+dfsg1-3.dsc
711d133fb156992c9fdb54ec29cb8e371ec8915ea3ab5250ade4452ec636c49e 199188 highlight.js_9.18.1+dfsg1-3.debian.tar.xz
Files:
35d263ab7fbe04f82b9fbebadff09003 3041 javascript optional highlight.js_9.18.1+dfsg1-3.dsc
d575356a234070fde5d63dbdd3aa67c6 199188 javascript optional highlight.js_9.18.1+dfsg1-3.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAl/LZn0ACgkQ9tdMp8mZ
7ukQgA/+KjX9lzfPJ0XlRiHXr2gjNrjR3yQ9BBZ0BDAKHBeQA2iNop15fJP0z/pe
WiZRjtIgUXHHyxg2mFeAJG9VWXZp0Opg/d6RyL2UR6r2i8SSP/BV/6Nawr0Gdjnu
xr9CAAm9Gd4R/THqJwZ0+Je4IpgOHXx8Hd052fyGJAZXzfCElCUWIYfRpsizNuYf
Jm8uAJW57Jh4Qbg7IovkcETDzNzfWgsUENSILEpNHCXCeLMdg1rYq4SglpBFMnDO
eX4ueezgr9rElYQ1Wa/1zlZ5yrsx6EOJkg8SkHc3keXDnnq1bjc+vBmXD5GikaED
SYiEGnj9/dUTa1heZCjOsNpkJ06IRA+9eUhNO3UF5zdkHw9TOao4hZ9OjAXRhdmK
86GmIXxvFVib5MDJT27GXFEZ+nnOzTcKZYBSSd9E7Js1KbBtrYFcjwb+C0Py4D75
87PGSt0plGtPq3a+xVMSQGGuO8C3k5zg7+3Kcf/3OTP+eFKl9Pp8InorkwMwzdUR
+dtsJkDNRPqzW8nogCThPJZKrJqb22PBQRT/zfiSWjL6BuEij59Jgjuavngfg8BT
dpdtay75S6+gIwa+Pm974DcvhJ97dKKo5QvdSFhGHZeZgF/bTW6V7iFNCKfAUYcC
FNnV+h0ZLYpUi7sYyoKwZnv3xlQxLixVgZZYFxhSJBg9Q+DcedA=
=6431
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sun Dec 6 07:57:42 2020;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon