Created by: slyon
Issue Summary
When working on the Ubuntu package for libjs-mathjax
(legacy v2.7) we realized there is a potential security risk, because the file extensions/a11y/invalid_keypress.ogg
is marked as executable file via its UNIX permissions.
Steps to Reproduce:
- Clone this repository
- Checkout the
legacy-v2
branch ls -la extensions/a11y/invalid_keypress.ogg
-rwxrwxr-x 1 lukas lukas 5353 Mai 22 15:41 extensions/a11y/invalid_keypress.ogg*
This audio file does not need to be executable and the +x
flag should be removed, to avoid the issue where potential attackers would somehow replace it with malicious content.
chmod -x extensions/a11y/invalid_keypress.ogg
Technical details:
- MathJax Version: 2.7.4
- Client OS: Ubuntu Linux 20.04