Page MenuHomePhabricator

Update svgo in MobileFrontend/MinervaNeue
Closed, ResolvedPublic

Description

svgo used by MinervaNeue has two vulnerabilities

Please update to a newer version.

#813: js-yaml
Severity: high
Versions of js-yaml prior to 3.13.1 are vulnerable to Code Injection. The load() function may execute arbitrary code injected through a malicious YAML file. Objects that have toString as key, JavaScript code as value and are used as explicit mapping keys allow attackers to execute the supplied code through the load() function. The safeLoad() function is unaffected.
An example payload is { toString: !<tag:yaml.org,2002:js/function> 'function (){return Date.now()}' } : 1 which returns the object { "1553107949161": 1 }
npm advisory

#788: js-yaml
Severity: moderate
Versions of js-yaml prior to 3.13.0 are vulnerable to Denial of Service. By parsing a carefully-crafted YAML file, the node process stalls and may exhaust system resources leading to a Denial of Service.
npm advisory

https://libraryupgrader2.wmflabs.org/library/npm/svgo

Event Timeline

Restricted Application added subscribers: Masumrezarock100, Aklapper. · View Herald TranscriptFeb 29 2020, 7:26 PM
Jdlrobson triaged this task as High priority.
Jdlrobson added a project: Readers-Web-Backlog.
Jdlrobson moved this task from Incoming to Needs Prioritization on the Readers-Web-Backlog board.

Change 577389 had a related patch set uploaded (by VolkerE; owner: VolkerE):
[mediawiki/skins/MinervaNeue@master] build: Update svgo to latest v1.3.2

https://gerrit.wikimedia.org/r/577389

Change 577389 merged by jenkins-bot:
[mediawiki/skins/MinervaNeue@master] build: Update svgo to latest v1.3.2

https://gerrit.wikimedia.org/r/577389

Volker_E renamed this task from Update svgo in MinervaNeue skin to Update svgo in MobileFrontend/MinervaNeue.Mar 6 2020, 1:29 AM
Volker_E added a project: MobileFrontend.

Change 577405 had a related patch set uploaded (by VolkerE; owner: VolkerE):
[mediawiki/extensions/MobileFrontend@master] build: Update svgo to latest v1.3.2

https://gerrit.wikimedia.org/r/577405

Volker_E claimed this task.Mar 6 2020, 1:40 AM
Volker_E added a subscriber: ovasileva.

Change 577405 merged by jenkins-bot:
[mediawiki/extensions/MobileFrontend@master] build: Update svgo to latest v1.3.2

https://gerrit.wikimedia.org/r/577405

Niedzielski added a subscriber: Volker_E.
Niedzielski closed this task as Resolved.Mar 9 2020, 5:35 PM

Minor version bump for both repos has many changes including new plugins, changes to the way viewBox is handled in the removeDimensions plugin, as well as a new recursive option 🎉🎉🎉🎉🎉

https://github.com/svg/svgo/blob/master/CHANGELOG.md#---132--30102019