OPENSUSE-SU-2022:10230-1
Vulnerability from csaf_opensuse - Published: 2022-12-04 09:01 - Updated: 2022-12-04 09:01Summary
Security update for cherrytree
Notes
Title of the patch
Security update for cherrytree
Description of the patch
cherrytree was updated to version 0.99.49+3:
* Legacy_canonicalize_filename: manage empty filename,
(gh#giuspen/cherrytree#2118)
* added command line option '--anchor AnchorName' that in
addition to existing '--node NodeName' allows to open a
document focusing an anchor in a node.
* Changed non configurable keyboard shortcuts for codebox width
and table column width to use parenthesis open instead of
backslash, (gh#giuspen/cherrytree#2113).
* Fixed crash on double exit from systray icon right click menu,
(gh#giuspen/cherrytree#2114).
* Added keyboard shortcuts to toolbar tooltips,
(gh#giuspen/cherrytree#2106).
* Fixed export to HTML crash, (gh#giuspen/cherrytree#2109).
* Force turning off portal usage since it does not work on all
distros, (gh#giuspen/cherrytree#2111).
* Improved dialog confirmation before executing the code.
* Additonal changes for core22, (gh#giuspen/cherrytree#2110).
* Allow to disable the dialog asking for confirmation before
executing the code.
* Fixed bulleted list unindent (Shift+Tab) crash,
(gh#giuspen/cherrytree#2103).
* Add home plug, (gh#giuspen/cherrytree#2101 and
gh#giuspen/cherrytree#2102).
* Linux menu launcher run cherrytree in a new instance,
(gh#giuspen/cherrytree#2077).
* Fixed crash on print/export as pdf of a sequence of characters
without spaces longer that the page width, such as a very long
URL, (gh#giuspen/cherrytree#2045).
* Fixed wrongly entering column mode when using keyboard
shortcuts with <Ctrl><Alt> such as insert codebox,
(gh#giuspen/cherrytree#2075).
* Added syntax highlighting support for GDScript.
* Fixed tooltip and cursor not reset after hovering link and then
navigating to non rich text node.
* Support for accent insensitive search - added letters with
subordinate dots, (gh#giuspen/cherrytree#1981).
* Translation updates.
- Developer advised fixed cross-site scripting (XSS) vulnerability
that allows attackers to execute arbitrary web scripts or HTML
via a crafted payload injected into the Name text field when
creating a node, (boo#1202513, gh#giuspen/cherrytree#2099 and
CVE-2022-35133).
Update to version 0.99.48:
* Added support for right to left languages in export to html and
pdf (gh#giuspen/cherrytree#2044, gh#giuspen/cherrytree#1668
and gh#giuspen/cherrytree# #698).
* In order to support the right to left languages in export to
html, the resulting html text lines are no longer LINE<br/> but
<p>LINE</p>.
* Fixed in export to pdf the link to node+anchor with non ascii
anchor name.
* Improved detection of missing executables required for
rendering LatexBoxes. These dependencies are no longer
mandatory (gh#giuspen/cherrytree#2033).
* Added help to the user to show again a hidden menubar
(gh#giuspen/cherrytree#1927 and gh#giuspen/cherrytree#2054).
* Pressing Tab on the very latest table cell now adds a new table
line and moves to its first cell.
* Fixed issue with relative links to files and folders and
documents moved between linux and windows.
* In export to html and txt multiple files, now appending the
node id to the file names to support multiple nodes with the
same name.
* Added syntax highlight support for solidity
(gh#giuspen/cherrytree#2030).
* After issues with the domain giuspen.com, the domain changed to
giuspen.net and giuspen.com will eventually go.
Update to version 0.99.47+2:
* Added support for latex math equations.
* Added copy/paste of tree nodes and subnodes between multiple opened files.
* Restored support for drag and drop of text selection.
Now rich text content is preserved.
* Added syntax highlighting for HCL.
* Fixed issue at reset toolbar in preferences dialog when menubar in titlebar.
* Added command line option (-S/--secondary_session) to run in isolation
from a possibly already running main instance.
* Updated flatpak script.
Update to version 0.99.46+6:
* Fixed time created/modified filter on searches for node name and tags.
* Changed default keyboard shortcuts using Ctrl+Period to Ctrl+Backslash
for clash with latest linux desktops.
* Fixed restore window position on Windows and dual screen.
* Added strip trailing spaces action to rich text right click menu.
* Fixed issue restoring hpaned tree/text position with tree on the right.
* Added command line option to pass the password to open an encrypted document.
Update to version 0.99.45+10:
* added language Arabic
* fixed time created/modified filter on searches for node name and tags
* just ninja build debug print
* added strip trailing spaces action to rich text right click menu
* minor improvement to previous commit
* fixed copy fromm codebox and pasting to rich text unwanted additional characters
Patchnames
openSUSE-2022-10230
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for cherrytree",
"title": "Title of the patch"
},
{
"category": "description",
"text": "\ncherrytree was updated to version 0.99.49+3:\n\n * Legacy_canonicalize_filename: manage empty filename,\n (gh#giuspen/cherrytree#2118)\n * added command line option \u0027--anchor AnchorName\u0027 that in\n addition to existing \u0027--node NodeName\u0027 allows to open a\n document focusing an anchor in a node.\n * Changed non configurable keyboard shortcuts for codebox width\n and table column width to use parenthesis open instead of\n backslash, (gh#giuspen/cherrytree#2113).\n * Fixed crash on double exit from systray icon right click menu,\n (gh#giuspen/cherrytree#2114).\n * Added keyboard shortcuts to toolbar tooltips,\n (gh#giuspen/cherrytree#2106).\n * Fixed export to HTML crash, (gh#giuspen/cherrytree#2109).\n * Force turning off portal usage since it does not work on all\n distros, (gh#giuspen/cherrytree#2111).\n * Improved dialog confirmation before executing the code.\n * Additonal changes for core22, (gh#giuspen/cherrytree#2110).\n * Allow to disable the dialog asking for confirmation before\n executing the code.\n * Fixed bulleted list unindent (Shift+Tab) crash,\n (gh#giuspen/cherrytree#2103).\n * Add home plug, (gh#giuspen/cherrytree#2101 and\n gh#giuspen/cherrytree#2102).\n * Linux menu launcher run cherrytree in a new instance,\n (gh#giuspen/cherrytree#2077).\n * Fixed crash on print/export as pdf of a sequence of characters\n without spaces longer that the page width, such as a very long\n URL, (gh#giuspen/cherrytree#2045).\n * Fixed wrongly entering column mode when using keyboard\n shortcuts with \u003cCtrl\u003e\u003cAlt\u003e such as insert codebox,\n (gh#giuspen/cherrytree#2075).\n * Added syntax highlighting support for GDScript.\n * Fixed tooltip and cursor not reset after hovering link and then\n navigating to non rich text node.\n * Support for accent insensitive search - added letters with\n subordinate dots, (gh#giuspen/cherrytree#1981).\n * Translation updates.\n- Developer advised fixed cross-site scripting (XSS) vulnerability\n that allows attackers to execute arbitrary web scripts or HTML\n via a crafted payload injected into the Name text field when\n creating a node, (boo#1202513, gh#giuspen/cherrytree#2099 and\n CVE-2022-35133).\n\nUpdate to version 0.99.48:\n\n * Added support for right to left languages in export to html and\n pdf (gh#giuspen/cherrytree#2044, gh#giuspen/cherrytree#1668\n and gh#giuspen/cherrytree# #698).\n * In order to support the right to left languages in export to\n html, the resulting html text lines are no longer LINE\u003cbr/\u003e but\n \u003cp\u003eLINE\u003c/p\u003e.\n * Fixed in export to pdf the link to node+anchor with non ascii\n anchor name.\n * Improved detection of missing executables required for\n rendering LatexBoxes. These dependencies are no longer\n mandatory (gh#giuspen/cherrytree#2033).\n * Added help to the user to show again a hidden menubar\n (gh#giuspen/cherrytree#1927 and gh#giuspen/cherrytree#2054).\n * Pressing Tab on the very latest table cell now adds a new table\n line and moves to its first cell.\n * Fixed issue with relative links to files and folders and\n documents moved between linux and windows.\n * In export to html and txt multiple files, now appending the\n node id to the file names to support multiple nodes with the\n same name.\n * Added syntax highlight support for solidity\n (gh#giuspen/cherrytree#2030).\n * After issues with the domain giuspen.com, the domain changed to\n giuspen.net and giuspen.com will eventually go.\n\nUpdate to version 0.99.47+2:\n\n * Added support for latex math equations.\n * Added copy/paste of tree nodes and subnodes between multiple opened files.\n * Restored support for drag and drop of text selection.\n Now rich text content is preserved.\n * Added syntax highlighting for HCL.\n * Fixed issue at reset toolbar in preferences dialog when menubar in titlebar.\n * Added command line option (-S/--secondary_session) to run in isolation\n from a possibly already running main instance.\n * Updated flatpak script.\n\nUpdate to version 0.99.46+6:\n\n * Fixed time created/modified filter on searches for node name and tags.\n * Changed default keyboard shortcuts using Ctrl+Period to Ctrl+Backslash\n for clash with latest linux desktops.\n * Fixed restore window position on Windows and dual screen.\n * Added strip trailing spaces action to rich text right click menu.\n * Fixed issue restoring hpaned tree/text position with tree on the right.\n * Added command line option to pass the password to open an encrypted document.\n\nUpdate to version 0.99.45+10:\n\n * added language Arabic\n * fixed time created/modified filter on searches for node name and tags \n * just ninja build debug print\n * added strip trailing spaces action to rich text right click menu\n * minor improvement to previous commit \n * fixed copy fromm codebox and pasting to rich text unwanted additional characters \n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-2022-10230",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2022_10230-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2022:10230-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/O3LINIV5NYLJYVZQQS73MPYNTWII3ZH2/"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2022:10230-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/O3LINIV5NYLJYVZQQS73MPYNTWII3ZH2/"
},
{
"category": "self",
"summary": "SUSE Bug 1202513",
"url": "https://bugzilla.suse.com/1202513"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-35133 page",
"url": "https://www.suse.com/security/cve/CVE-2022-35133/"
}
],
"title": "Security update for cherrytree",
"tracking": {
"current_release_date": "2022-12-04T09:01:32Z",
"generator": {
"date": "2022-12-04T09:01:32Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2022:10230-1",
"initial_release_date": "2022-12-04T09:01:32Z",
"revision_history": [
{
"date": "2022-12-04T09:01:32Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "cherrytree-0.99.49+3-bp154.2.3.2.aarch64",
"product": {
"name": "cherrytree-0.99.49+3-bp154.2.3.2.aarch64",
"product_id": "cherrytree-0.99.49+3-bp154.2.3.2.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "cherrytree-lang-0.99.49+3-bp154.2.3.2.noarch",
"product": {
"name": "cherrytree-lang-0.99.49+3-bp154.2.3.2.noarch",
"product_id": "cherrytree-lang-0.99.49+3-bp154.2.3.2.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "cherrytree-0.99.49+3-bp154.2.3.2.s390x",
"product": {
"name": "cherrytree-0.99.49+3-bp154.2.3.2.s390x",
"product_id": "cherrytree-0.99.49+3-bp154.2.3.2.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "cherrytree-0.99.49+3-bp154.2.3.2.x86_64",
"product": {
"name": "cherrytree-0.99.49+3-bp154.2.3.2.x86_64",
"product_id": "cherrytree-0.99.49+3-bp154.2.3.2.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Package Hub 15 SP4",
"product": {
"name": "SUSE Package Hub 15 SP4",
"product_id": "SUSE Package Hub 15 SP4"
}
},
{
"category": "product_name",
"name": "openSUSE Leap 15.4",
"product": {
"name": "openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.4"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "cherrytree-0.99.49+3-bp154.2.3.2.aarch64 as component of SUSE Package Hub 15 SP4",
"product_id": "SUSE Package Hub 15 SP4:cherrytree-0.99.49+3-bp154.2.3.2.aarch64"
},
"product_reference": "cherrytree-0.99.49+3-bp154.2.3.2.aarch64",
"relates_to_product_reference": "SUSE Package Hub 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cherrytree-0.99.49+3-bp154.2.3.2.s390x as component of SUSE Package Hub 15 SP4",
"product_id": "SUSE Package Hub 15 SP4:cherrytree-0.99.49+3-bp154.2.3.2.s390x"
},
"product_reference": "cherrytree-0.99.49+3-bp154.2.3.2.s390x",
"relates_to_product_reference": "SUSE Package Hub 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cherrytree-0.99.49+3-bp154.2.3.2.x86_64 as component of SUSE Package Hub 15 SP4",
"product_id": "SUSE Package Hub 15 SP4:cherrytree-0.99.49+3-bp154.2.3.2.x86_64"
},
"product_reference": "cherrytree-0.99.49+3-bp154.2.3.2.x86_64",
"relates_to_product_reference": "SUSE Package Hub 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cherrytree-lang-0.99.49+3-bp154.2.3.2.noarch as component of SUSE Package Hub 15 SP4",
"product_id": "SUSE Package Hub 15 SP4:cherrytree-lang-0.99.49+3-bp154.2.3.2.noarch"
},
"product_reference": "cherrytree-lang-0.99.49+3-bp154.2.3.2.noarch",
"relates_to_product_reference": "SUSE Package Hub 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cherrytree-0.99.49+3-bp154.2.3.2.aarch64 as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:cherrytree-0.99.49+3-bp154.2.3.2.aarch64"
},
"product_reference": "cherrytree-0.99.49+3-bp154.2.3.2.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cherrytree-0.99.49+3-bp154.2.3.2.s390x as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:cherrytree-0.99.49+3-bp154.2.3.2.s390x"
},
"product_reference": "cherrytree-0.99.49+3-bp154.2.3.2.s390x",
"relates_to_product_reference": "openSUSE Leap 15.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cherrytree-0.99.49+3-bp154.2.3.2.x86_64 as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:cherrytree-0.99.49+3-bp154.2.3.2.x86_64"
},
"product_reference": "cherrytree-0.99.49+3-bp154.2.3.2.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cherrytree-lang-0.99.49+3-bp154.2.3.2.noarch as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:cherrytree-lang-0.99.49+3-bp154.2.3.2.noarch"
},
"product_reference": "cherrytree-lang-0.99.49+3-bp154.2.3.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.4"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-35133",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-35133"
}
],
"notes": [
{
"category": "general",
"text": "A cross-site scripting (XSS) vulnerability in CherryTree v0.99.30 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name text field when creating a node.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 15 SP4:cherrytree-0.99.49+3-bp154.2.3.2.aarch64",
"SUSE Package Hub 15 SP4:cherrytree-0.99.49+3-bp154.2.3.2.s390x",
"SUSE Package Hub 15 SP4:cherrytree-0.99.49+3-bp154.2.3.2.x86_64",
"SUSE Package Hub 15 SP4:cherrytree-lang-0.99.49+3-bp154.2.3.2.noarch",
"openSUSE Leap 15.4:cherrytree-0.99.49+3-bp154.2.3.2.aarch64",
"openSUSE Leap 15.4:cherrytree-0.99.49+3-bp154.2.3.2.s390x",
"openSUSE Leap 15.4:cherrytree-0.99.49+3-bp154.2.3.2.x86_64",
"openSUSE Leap 15.4:cherrytree-lang-0.99.49+3-bp154.2.3.2.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-35133",
"url": "https://www.suse.com/security/cve/CVE-2022-35133"
},
{
"category": "external",
"summary": "SUSE Bug 1202513 for CVE-2022-35133",
"url": "https://bugzilla.suse.com/1202513"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 15 SP4:cherrytree-0.99.49+3-bp154.2.3.2.aarch64",
"SUSE Package Hub 15 SP4:cherrytree-0.99.49+3-bp154.2.3.2.s390x",
"SUSE Package Hub 15 SP4:cherrytree-0.99.49+3-bp154.2.3.2.x86_64",
"SUSE Package Hub 15 SP4:cherrytree-lang-0.99.49+3-bp154.2.3.2.noarch",
"openSUSE Leap 15.4:cherrytree-0.99.49+3-bp154.2.3.2.aarch64",
"openSUSE Leap 15.4:cherrytree-0.99.49+3-bp154.2.3.2.s390x",
"openSUSE Leap 15.4:cherrytree-0.99.49+3-bp154.2.3.2.x86_64",
"openSUSE Leap 15.4:cherrytree-lang-0.99.49+3-bp154.2.3.2.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"SUSE Package Hub 15 SP4:cherrytree-0.99.49+3-bp154.2.3.2.aarch64",
"SUSE Package Hub 15 SP4:cherrytree-0.99.49+3-bp154.2.3.2.s390x",
"SUSE Package Hub 15 SP4:cherrytree-0.99.49+3-bp154.2.3.2.x86_64",
"SUSE Package Hub 15 SP4:cherrytree-lang-0.99.49+3-bp154.2.3.2.noarch",
"openSUSE Leap 15.4:cherrytree-0.99.49+3-bp154.2.3.2.aarch64",
"openSUSE Leap 15.4:cherrytree-0.99.49+3-bp154.2.3.2.s390x",
"openSUSE Leap 15.4:cherrytree-0.99.49+3-bp154.2.3.2.x86_64",
"openSUSE Leap 15.4:cherrytree-lang-0.99.49+3-bp154.2.3.2.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2022-12-04T09:01:32Z",
"details": "moderate"
}
],
"title": "CVE-2022-35133"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…