Security update for cherrytree SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2022:10230-1 Final 1 1 2022-12-04T09:01:32Z current 2022-12-04T09:01:32Z 2022-12-04T09:01:32Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for cherrytree cherrytree was updated to version 0.99.49+3: * Legacy_canonicalize_filename: manage empty filename, (gh#giuspen/cherrytree#2118) * added command line option '--anchor AnchorName' that in addition to existing '--node NodeName' allows to open a document focusing an anchor in a node. * Changed non configurable keyboard shortcuts for codebox width and table column width to use parenthesis open instead of backslash, (gh#giuspen/cherrytree#2113). * Fixed crash on double exit from systray icon right click menu, (gh#giuspen/cherrytree#2114). * Added keyboard shortcuts to toolbar tooltips, (gh#giuspen/cherrytree#2106). * Fixed export to HTML crash, (gh#giuspen/cherrytree#2109). * Force turning off portal usage since it does not work on all distros, (gh#giuspen/cherrytree#2111). * Improved dialog confirmation before executing the code. * Additonal changes for core22, (gh#giuspen/cherrytree#2110). * Allow to disable the dialog asking for confirmation before executing the code. * Fixed bulleted list unindent (Shift+Tab) crash, (gh#giuspen/cherrytree#2103). * Add home plug, (gh#giuspen/cherrytree#2101 and gh#giuspen/cherrytree#2102). * Linux menu launcher run cherrytree in a new instance, (gh#giuspen/cherrytree#2077). * Fixed crash on print/export as pdf of a sequence of characters without spaces longer that the page width, such as a very long URL, (gh#giuspen/cherrytree#2045). * Fixed wrongly entering column mode when using keyboard shortcuts with <Ctrl><Alt> such as insert codebox, (gh#giuspen/cherrytree#2075). * Added syntax highlighting support for GDScript. * Fixed tooltip and cursor not reset after hovering link and then navigating to non rich text node. * Support for accent insensitive search - added letters with subordinate dots, (gh#giuspen/cherrytree#1981). * Translation updates. - Developer advised fixed cross-site scripting (XSS) vulnerability that allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name text field when creating a node, (boo#1202513, gh#giuspen/cherrytree#2099 and CVE-2022-35133). Update to version 0.99.48: * Added support for right to left languages in export to html and pdf (gh#giuspen/cherrytree#2044, gh#giuspen/cherrytree#1668 and gh#giuspen/cherrytree# #698). * In order to support the right to left languages in export to html, the resulting html text lines are no longer LINE<br/> but <p>LINE</p>. * Fixed in export to pdf the link to node+anchor with non ascii anchor name. * Improved detection of missing executables required for rendering LatexBoxes. These dependencies are no longer mandatory (gh#giuspen/cherrytree#2033). * Added help to the user to show again a hidden menubar (gh#giuspen/cherrytree#1927 and gh#giuspen/cherrytree#2054). * Pressing Tab on the very latest table cell now adds a new table line and moves to its first cell. * Fixed issue with relative links to files and folders and documents moved between linux and windows. * In export to html and txt multiple files, now appending the node id to the file names to support multiple nodes with the same name. * Added syntax highlight support for solidity (gh#giuspen/cherrytree#2030). * After issues with the domain giuspen.com, the domain changed to giuspen.net and giuspen.com will eventually go. Update to version 0.99.47+2: * Added support for latex math equations. * Added copy/paste of tree nodes and subnodes between multiple opened files. * Restored support for drag and drop of text selection. Now rich text content is preserved. * Added syntax highlighting for HCL. * Fixed issue at reset toolbar in preferences dialog when menubar in titlebar. * Added command line option (-S/--secondary_session) to run in isolation from a possibly already running main instance. * Updated flatpak script. Update to version 0.99.46+6: * Fixed time created/modified filter on searches for node name and tags. * Changed default keyboard shortcuts using Ctrl+Period to Ctrl+Backslash for clash with latest linux desktops. * Fixed restore window position on Windows and dual screen. * Added strip trailing spaces action to rich text right click menu. * Fixed issue restoring hpaned tree/text position with tree on the right. * Added command line option to pass the password to open an encrypted document. Update to version 0.99.45+10: * added language Arabic * fixed time created/modified filter on searches for node name and tags * just ninja build debug print * added strip trailing spaces action to rich text right click menu * minor improvement to previous commit * fixed copy fromm codebox and pasting to rich text unwanted additional characters The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2022-10230 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/O3LINIV5NYLJYVZQQS73MPYNTWII3ZH2/ E-Mail link for openSUSE-SU-2022:10230-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1202513 SUSE Bug 1202513 https://www.suse.com/security/cve/CVE-2022-35133/ SUSE CVE CVE-2022-35133 page SUSE Package Hub 15 SP4 openSUSE Leap 15.4 cherrytree-0.99.49+3-bp154.2.3.2 cherrytree-lang-0.99.49+3-bp154.2.3.2 cherrytree-0.99.49+3-bp154.2.3.2 as a component of SUSE Package Hub 15 SP4 cherrytree-lang-0.99.49+3-bp154.2.3.2 as a component of SUSE Package Hub 15 SP4 cherrytree-0.99.49+3-bp154.2.3.2 as a component of openSUSE Leap 15.4 cherrytree-lang-0.99.49+3-bp154.2.3.2 as a component of openSUSE Leap 15.4 A cross-site scripting (XSS) vulnerability in CherryTree v0.99.30 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name text field when creating a node. CVE-2022-35133 SUSE Package Hub 15 SP4:cherrytree-0.99.49+3-bp154.2.3.2 SUSE Package Hub 15 SP4:cherrytree-lang-0.99.49+3-bp154.2.3.2 openSUSE Leap 15.4:cherrytree-0.99.49+3-bp154.2.3.2 openSUSE Leap 15.4:cherrytree-lang-0.99.49+3-bp154.2.3.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/O3LINIV5NYLJYVZQQS73MPYNTWII3ZH2/ https://www.suse.com/security/cve/CVE-2022-35133.html CVE-2022-35133 https://bugzilla.suse.com/1202513 SUSE Bug 1202513