openSUSE: 2022:10230-1 moderate: cherrytree

openSUSE Security Update: Security update for cherrytree
______________________________________________________________________________

Announcement ID: openSUSE-SU-2022:10230-1
Rating: moderate
References: #1202513
Cross-References: CVE-2022-35133
CVSS scores:
CVE-2022-35133 (NVD) : 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Affected Products:
openSUSE Backports SLE-15-SP4
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

cherrytree was updated to version 0.99.49+3:

* Legacy_canonicalize_filename: manage empty filename,
(gh#giuspen/cherrytree#2118)
* added command line option '--anchor AnchorName' that in addition to
existing '--node NodeName' allows to open a document focusing an
anchor in a node.
* Changed non configurable keyboard shortcuts for codebox width and
table column width to use parenthesis open instead of backslash,
(gh#giuspen/cherrytree#2113).
* Fixed crash on double exit from systray icon right click menu,
(gh#giuspen/cherrytree#2114).
* Added keyboard shortcuts to toolbar tooltips,
(gh#giuspen/cherrytree#2106).
* Fixed export to HTML crash, (gh#giuspen/cherrytree#2109).
* Force turning off portal usage since it does not work on all distros,
(gh#giuspen/cherrytree#2111).
* Improved dialog confirmation before executing the code.
* Additonal changes for core22, (gh#giuspen/cherrytree#2110).
* Allow to disable the dialog asking for confirmation before executing
the code.
* Fixed bulleted list unindent (Shift+Tab) crash,
(gh#giuspen/cherrytree#2103).
* Add home plug, (gh#giuspen/cherrytree#2101 and
gh#giuspen/cherrytree#2102).
* Linux menu launcher run cherrytree in a new instance,
(gh#giuspen/cherrytree#2077).
* Fixed crash on print/export as pdf of a sequence of characters without
spaces longer that the page width, such as a very long URL,
(gh#giuspen/cherrytree#2045).
* Fixed wrongly entering column mode when using keyboard shortcuts with
such as insert codebox, (gh#giuspen/cherrytree#2075).
* Added syntax highlighting support for GDScript.
* Fixed tooltip and cursor not reset after hovering link and then
navigating to non rich text node.
* Support for accent insensitive search - added letters with subordinate
dots, (gh#giuspen/cherrytree#1981).
* Translation updates.
- Developer advised fixed cross-site scripting (XSS) vulnerability that
allows attackers to execute arbitrary web scripts or HTML via a crafted
payload injected into the Name text field when creating a node,
(boo#1202513, gh#giuspen/cherrytree#2099 and CVE-2022-35133).

Update to version 0.99.48:

* Added support for right to left languages in export to html and pdf
(gh#giuspen/cherrytree#2044, gh#giuspen/cherrytree#1668 and
gh#giuspen/cherrytree# #698).
* In order to support the right to left languages in export to html, the
resulting html text lines are no longer LINE
but LINE.
* Fixed in export to pdf the link to node+anchor with non ascii anchor
name.
* Improved detection of missing executables required for rendering
LatexBoxes. These dependencies are no longer mandatory
(gh#giuspen/cherrytree#2033).
* Added help to the user to show again a hidden menubar
(gh#giuspen/cherrytree#1927 and gh#giuspen/cherrytree#2054).
* Pressing Tab on the very latest table cell now adds a new table line
and moves to its first cell.
* Fixed issue with relative links to files and folders and documents
moved between linux and windows.
* In export to html and txt multiple files, now appending the node id to
the file names to support multiple nodes with the same name.
* Added syntax highlight support for solidity
(gh#giuspen/cherrytree#2030).
* After issues with the domain giuspen.com, the domain changed to
giuspen.net and giuspen.com will eventually go.

Update to version 0.99.47+2:

* Added support for latex math equations.
* Added copy/paste of tree nodes and subnodes between multiple opened
files.
* Restored support for drag and drop of text selection. Now rich text
content is preserved.
* Added syntax highlighting for HCL.
* Fixed issue at reset toolbar in preferences dialog when menubar in
titlebar.
* Added command line option (-S/--secondary_session) to run in isolation
from a possibly already running main instance.
* Updated flatpak script.

Update to version 0.99.46+6:

* Fixed time created/modified filter on searches for node name and tags.
* Changed default keyboard shortcuts using Ctrl+Period to Ctrl+Backslash
for clash with latest linux desktops.
* Fixed restore window position on Windows and dual screen.
* Added strip trailing spaces action to rich text right click menu.
* Fixed issue restoring hpaned tree/text position with tree on the right.
* Added command line option to pass the password to open an encrypted
document.

Update to version 0.99.45+10:

* added language Arabic
* fixed time created/modified filter on searches for node name and tags
* just ninja build debug print
* added strip trailing spaces action to rich text right click menu
* minor improvement to previous commit
* fixed copy fromm codebox and pasting to rich text unwanted additional
characters

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15-SP4:

zypper in -t patch openSUSE-2022-10230=1

Package List:

- openSUSE Backports SLE-15-SP4 (aarch64 s390x x86_64):

cherrytree-0.99.49+3-bp154.2.3.2

- openSUSE Backports SLE-15-SP4 (noarch):

cherrytree-lang-0.99.49+3-bp154.2.3.2

References:

https://www.suse.com/security/cve/CVE-2022-35133.html
https://bugzilla.suse.com/1202513