[Pkg-javascript-devel] Bug#1067805: node-katex: CVE-2024-28243 CVE-2024-28244 CVE-2024-28245 CVE-2024-28246
Salvatore Bonaccorso
carnil at debian.org
Tue Mar 26 22:22:40 GMT 2024
Source: node-katex
Version: 0.16.4+~cs6.1.0-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi,
The following vulnerabilities were published for node-katex.
CVE-2024-28243[0]:
| KaTeX is a JavaScript library for TeX math rendering on the web.
| KaTeX users who render untrusted mathematical expressions could
| encounter malicious input using `\edef` that causes a near-infinite
| loop, despite setting `maxExpand` to avoid such loops. This can be
| used as an availability attack, where e.g. a client rendering
| another user's KaTeX input will be unable to use the site due to
| memory overflow, tying up the main thread, or stack overflow.
| Upgrade to KaTeX v0.16.10 to remove this vulnerability.
CVE-2024-28244[1]:
| KaTeX is a JavaScript library for TeX math rendering on the web.
| KaTeX users who render untrusted mathematical expressions could
| encounter malicious input using `\def` or `\newcommand` that causes
| a near-infinite loop, despite setting `maxExpand` to avoid such
| loops. KaTeX supports an option named maxExpand which aims to
| prevent infinitely recursive macros from consuming all available
| memory and/or triggering a stack overflow error. Unfortunately,
| support for "Unicode (sub|super)script characters" allows an
| attacker to bypass this limit. Each sub/superscript group
| instantiated a separate Parser with its own limit on macro
| executions, without inheriting the current count of macro executions
| from its parent. This has been corrected in KaTeX v0.16.10.
CVE-2024-28245[2]:
| KaTeX is a JavaScript library for TeX math rendering on the web.
| KaTeX users who render untrusted mathematical expressions could
| encounter malicious input using `\includegraphics` that runs
| arbitrary JavaScript, or generate invalid HTML. Upgrade to KaTeX
| v0.16.10 to remove this vulnerability.
CVE-2024-28246[3]:
| KaTeX is a JavaScript library for TeX math rendering on the web.
| Code that uses KaTeX's `trust` option, specifically that provides a
| function to blacklist certain URL protocols, can be fooled by URLs
| in malicious inputs that use uppercase characters in the protocol.
| In particular, this can allow for malicious input to generate
| `javascript:` links in the output, even if the `trust` function
| tries to forbid this protocol via `trust: (context) =>
| context.protocol !== 'javascript'`. Upgrade to KaTeX v0.16.10 to
| remove this vulnerability.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-28243
https://www.cve.org/CVERecord?id=CVE-2024-28243
https://github.com/KaTeX/KaTeX/security/advisories/GHSA-64fm-8hw2-v72w
[1] https://security-tracker.debian.org/tracker/CVE-2024-28244
https://www.cve.org/CVERecord?id=CVE-2024-28244
https://github.com/KaTeX/KaTeX/security/advisories/GHSA-cvr6-37gx-v8wc
[2] https://security-tracker.debian.org/tracker/CVE-2024-28245
https://www.cve.org/CVERecord?id=CVE-2024-28245
https://github.com/KaTeX/KaTeX/security/advisories/GHSA-f98w-7cxr-ff2h
[3] https://security-tracker.debian.org/tracker/CVE-2024-28246
https://www.cve.org/CVERecord?id=CVE-2024-28246
https://github.com/KaTeX/KaTeX/security/advisories/GHSA-3wc5-fcw2-2329
Regards,
Salvatore
More information about the Pkg-javascript-devel
mailing list