Page MenuHomePhabricator
Create Task
Maniphest T246544

Update svgo in MobileFrontend/MinervaNeue
Closed, ResolvedPublic
Actions

Description

svgo used by MinervaNeue has two vulnerabilities

Please update to a newer version.

#813: js-yaml
Severity: high
Versions of js-yaml prior to 3.13.1 are vulnerable to Code Injection. The load() function may execute arbitrary code injected through a malicious YAML file. Objects that have toString as key, JavaScript code as value and are used as explicit mapping keys allow attackers to execute the supplied code through the load() function. The safeLoad() function is unaffected.
An example payload is { toString: !<tag:yaml.org,2002:js/function> 'function (){return Date.now()}' } : 1 which returns the object { "1553107949161": 1 }
npm advisory

#788: js-yaml
Severity: moderate
Versions of js-yaml prior to 3.13.0 are vulnerable to Denial of Service. By parsing a carefully-crafted YAML file, the node process stalls and may exhaust system resources leading to a Denial of Service.
npm advisory

https://libraryupgrader2.wmflabs.org/library/npm/svgo

Details

SubjectRepoBranchLines +/-
build: Update svgo to latest v1.3.2mediawiki/extensions/MobileFrontendmaster+62 -60
build: Update svgo to latest v1.3.2mediawiki/skins/MinervaNeuemaster+97 -106
Customize query in gerrit

Event Timeline

Umherirrender created this task.Feb 29 2020, 7:26 PM
Restricted Application added subscribers: Masumrezarock100, Aklapper. · View Herald TranscriptFeb 29 2020, 7:26 PM
Jdlrobson assigned this task to ovasileva.Mar 3 2020, 12:20 AM
Jdlrobson triaged this task as High priority.
Jdlrobson added a project: Web-Team-Backlog.
Jdlrobson moved this task from Incoming to Needs Prioritization on the Web-Team-Backlog board.
ovasileva edited projects, added Web-Team-Backlog (Kanbanana-2019-20-Q3); removed Web-Team-Backlog.Mar 3 2020, 9:10 AM
gerritbot added a comment.Mar 6 2020, 12:25 AM

Change 577389 had a related patch set uploaded (by VolkerE; owner: VolkerE):
[mediawiki/skins/MinervaNeue@master] build: Update svgo to latest v1.3.2

https://gerrit.wikimedia.org/r/577389

gerritbot added a project: Patch-For-Review.Mar 6 2020, 12:25 AM
Jdlrobson moved this task from Needs Analysis to Needs Code Review on the Web-Team-Backlog (Kanbanana-2019-20-Q3) board.Mar 6 2020, 12:41 AM
gerritbot added a comment.Mar 6 2020, 12:50 AM

Change 577389 merged by jenkins-bot:
[mediawiki/skins/MinervaNeue@master] build: Update svgo to latest v1.3.2

https://gerrit.wikimedia.org/r/577389

ReleaseTaggerBot added a project: MW-1.35-notes (1.35.0-wmf.23; 2020-03-10).Mar 6 2020, 1:00 AM
Maintenance_bot removed a project: Patch-For-Review.Mar 6 2020, 1:10 AM
Volker_E renamed this task from Update svgo in MinervaNeue skin to Update svgo in MobileFrontend/MinervaNeue.Mar 6 2020, 1:29 AM
Volker_E added a project: MobileFrontend.
gerritbot added a comment.Mar 6 2020, 1:31 AM

Change 577405 had a related patch set uploaded (by VolkerE; owner: VolkerE):
[mediawiki/extensions/MobileFrontend@master] build: Update svgo to latest v1.3.2

https://gerrit.wikimedia.org/r/577405

gerritbot added a project: Patch-For-Review.Mar 6 2020, 1:31 AM
Volker_E claimed this task.Mar 6 2020, 1:40 AM
Volker_E added a subscriber: ovasileva.
gerritbot added a comment.Mar 6 2020, 2:07 AM

Change 577405 merged by jenkins-bot:
[mediawiki/extensions/MobileFrontend@master] build: Update svgo to latest v1.3.2

https://gerrit.wikimedia.org/r/577405

Maintenance_bot removed a project: Patch-For-Review.Mar 6 2020, 2:10 AM
Volker_E moved this task from Needs Code Review to Ready for Signoff on the Web-Team-Backlog (Kanbanana-2019-20-Q3) board.Mar 6 2020, 2:11 AM
Niedzielski claimed this task.Mar 9 2020, 5:11 PM
Niedzielski added a subscriber: Volker_E.
Niedzielski closed this task as Resolved.Mar 9 2020, 5:35 PM

Minor version bump for both repos has many changes including new plugins, changes to the way viewBox is handled in the removeDimensions plugin, as well as a new recursive option 🎉🎉🎉🎉🎉

https://github.com/svg/svgo/blob/master/CHANGELOG.md#---132--30102019

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits