Sun Aug 13 09:03:46 2023 UTC ()
Pullup ticket #6781 - requested by taca
textproc/ruby-sanitize: security fix (CVE-2023-36823)

Revisions pulled up:
- textproc/ruby-sanitize/Makefile                               1.3
- textproc/ruby-sanitize/distinfo                               1.3

---
   Module Name:	pkgsrc
   Committed By:	taca
   Date:		Sun Jul  9 02:56:28 UTC 2023

   Modified Files:
   	pkgsrc/textproc/ruby-sanitize: Makefile distinfo

   Log Message:
   textproc/ruby-sanitize: update to 6.0.2

   6.0.2 (2023-07-06)

   Bug Fixes

   * CVE-2023-36823: Fixed an HTML+CSS sanitization bypass that could allow XSS
     (cross-site scripting). This issue affects Sanitize versions 3.0.0 through
     6.0.1.

     When using Sanitize's relaxed config or a custom config that allows
     <style> elements and one or more CSS at-rules, carefully crafted input
     could be used to sneak arbitrary HTML through Sanitize.

     See the following security advisory for additional details:
     GHSA-f5ww-cq3m-q3g7

     Thanks to @cure53 for finding this issue.


(bsiegert)
diff -r1.2 -r1.2.4.1 pkgsrc/textproc/ruby-sanitize/Makefile
diff -r1.2 -r1.2.4.1 pkgsrc/textproc/ruby-sanitize/distinfo
cvs diff -r1.2 -r1.2.4.1 pkgsrc/textproc/ruby-sanitize/Makefile (expand / switch to unified diff)

--- pkgsrc/textproc/ruby-sanitize/Makefile 2023/02/04 13:33:10 1.2
+++ pkgsrc/textproc/ruby-sanitize/Makefile 2023/08/13 09:03:45 1.2.4.1
@@ -1,16 +1,16 @@ @@ -1,16 +1,16 @@
1# $NetBSD: Makefile,v 1.2 2023/02/04 13:33:10 taca Exp $ 1# $NetBSD: Makefile,v 1.2.4.1 2023/08/13 09:03:45 bsiegert Exp $
2 2
3DISTNAME= sanitize-6.0.1 3DISTNAME= sanitize-6.0.2
4CATEGORIES= textproc 4CATEGORIES= textproc
5 5
6MAINTAINER= pkgsrc-users@NetBSD.org 6MAINTAINER= pkgsrc-users@NetBSD.org
7HOMEPAGE= https://github.com/rgrove/sanitize/ 7HOMEPAGE= https://github.com/rgrove/sanitize/
8COMMENT= Allowlist-based HTML and CSS sanitizer 8COMMENT= Allowlist-based HTML and CSS sanitizer
9LICENSE= mit 9LICENSE= mit
10 10
11DEPENDS+= ${RUBY_PKGPREFIX}-crass>=1.0.2<1.1:../../www/ruby-crass 11DEPENDS+= ${RUBY_PKGPREFIX}-crass>=1.0.2<1.1:../../www/ruby-crass
12DEPENDS+= ${RUBY_PKGPREFIX}-nokogiri>=1.12.0:../../textproc/ruby-nokogiri 12DEPENDS+= ${RUBY_PKGPREFIX}-nokogiri>=1.12.0:../../textproc/ruby-nokogiri
13 13
14USE_LANGUAGES= # empty 14USE_LANGUAGES= # empty
15 15
16.include "../../lang/ruby/gem.mk" 16.include "../../lang/ruby/gem.mk"
cvs diff -r1.2 -r1.2.4.1 pkgsrc/textproc/ruby-sanitize/distinfo (expand / switch to unified diff)

--- pkgsrc/textproc/ruby-sanitize/distinfo 2023/02/04 13:33:10 1.2
+++ pkgsrc/textproc/ruby-sanitize/distinfo 2023/08/13 09:03:45 1.2.4.1
@@ -1,5 +1,5 @@ @@ -1,5 +1,5 @@
1$NetBSD: distinfo,v 1.2 2023/02/04 13:33:10 taca Exp $ 1$NetBSD: distinfo,v 1.2.4.1 2023/08/13 09:03:45 bsiegert Exp $
2 2
3BLAKE2s (sanitize-6.0.1.gem) = 7cd8b6d8845065bf5c90b60e2aec935376b87115c0849294692c34cb960a13eb 3BLAKE2s (sanitize-6.0.2.gem) = f44068d396c47968a2f858703761cca30e6f23414f4cebf8178d3012a96cb1e4
4SHA512 (sanitize-6.0.1.gem) = 361141150022788dbb804230621f4003d50d82ce6c8767581a3ec74d61388088546f3105a60b440bedb602de1b06d3a3625218f9e0a23c19409fad3385151267 4SHA512 (sanitize-6.0.2.gem) = 2e83ecf0bcecaec56eaae2935d3f967d983d0dcdce76d358291a3dec1411c5e5e85b80ec3ab6d2d2718211eae6542796744278e9f9a4236157809027403295e1
5Size (sanitize-6.0.1.gem) = 47616 bytes 5Size (sanitize-6.0.2.gem) = 47616 bytes