Discuss Scratch
- Discussion Forums
- » Advanced Topics
- » Critical Bug in SVG Renderer, Update Scratch App ASAP!
- apple502j
- Scratcher
1000+ posts
Critical Bug in SVG Renderer, Update Scratch App ASAP!
Critical Cross-site Scripting in Scratch
Cross-site scripting vulnerability was discovered in the SVG rendering engine for Scratch. This can lead to arbitrary code execution when a crafted project is opened on Scratch app (including Scratch Desktop).
This affects Scratch website, all versions of Scratch Desktop and other Scratch 3.0 mods or any applications using Scratch SVG Renderer. The attack is likely to be also possible on Scratch app for Android/Chromebook. A similar problem was also discovered on Forkphorus implementation of the rendering engine.
How to Prevent the Attack
・Scratch website: already patched.
・Scratch Desktop/Scratch app for Windows/macOS: DOWNLOAD AND INSTALL LATEST VERSION 3.17.1. Microsoft Store version is not updated, so use direct download.
・Mods: Pull latest commits of scratch-gui, delete node_modules and package-lock.json and run “npm install” again. If you are editing scratch-svg-renderer, a patch file is available: https://gist.github.com/apple502j/b1a4af80050175d0a23021a38b28ba57 (you need to run “npm install” after applying)
・Forkphorus website: already patched.
・Forkphorus mods: Pull latest commits.
Technical details
・CVE: CVE-2020-7750
・CVSS score: 9.6(Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
・CWE: CWE-79/Improper Neutralization of Input During Web Page Generation
How to get Security Update
Microsoft Store version users? Uninstall and switch to direct download!
macOS App Store
・It should be auto-updated.
Direct download
・Check https://scratch.mit.edu/download for details.
Cross-site scripting vulnerability was discovered in the SVG rendering engine for Scratch. This can lead to arbitrary code execution when a crafted project is opened on Scratch app (including Scratch Desktop).
This affects Scratch website, all versions of Scratch Desktop and other Scratch 3.0 mods or any applications using Scratch SVG Renderer. The attack is likely to be also possible on Scratch app for Android/Chromebook. A similar problem was also discovered on Forkphorus implementation of the rendering engine.
How to Prevent the Attack
・Scratch website: already patched.
・Scratch Desktop/Scratch app for Windows/macOS: DOWNLOAD AND INSTALL LATEST VERSION 3.17.1. Microsoft Store version is not updated, so use direct download.
・Mods: Pull latest commits of scratch-gui, delete node_modules and package-lock.json and run “npm install” again. If you are editing scratch-svg-renderer, a patch file is available: https://gist.github.com/apple502j/b1a4af80050175d0a23021a38b28ba57 (you need to run “npm install” after applying)
・Forkphorus website: already patched.
・Forkphorus mods: Pull latest commits.
Technical details
・CVE: CVE-2020-7750
・CVSS score: 9.6(Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
・CWE: CWE-79/Improper Neutralization of Input During Web Page Generation
How to get Security Update
Microsoft Store version users? Uninstall and switch to direct download!
macOS App Store
・It should be auto-updated.
Direct download
・Check https://scratch.mit.edu/download for details.
Last edited by apple502j (Oct. 22, 2020 03:46:39)
署名は、ディスカッションフォーラムの機能である。署名は、その人のすべての投稿の下部に追加される。署名は、BBCodeで記述できる。 署名を追加/変更/削除したい場合は、ディスカッションフォーラムのホームの一番下に行き、「Change your signature」を押す。署名の大きさは150pxまでである。これには、改行、画像を含む。- Japanese Scratch-Wiki 「署名」
- Jeffalo
- Scratcher
1000+ posts
Critical Bug in SVG Renderer, Update Scratch App ASAP!
i've updated my signature to spread the word. this is pretty dangerous stuff here apple, you're kinda like a superhero for finding all this!
disclaimer: sometimes my posts are pretty critical of the scratch team (especially my older ones), but i really do scratch & scratch team. jvvg made a short essay thing about the scratch team, which is a pretty good read, if you want a different perspective for the scratch team's actions.
- mtech22
- Scratcher
1000+ posts
Critical Bug in SVG Renderer, Update Scratch App ASAP!
Should I just uninstall it or do I have to update it?
aII toasters toast toast, but what happens when there are no longer toasters being produced? will their technology simply become obsolete, with humans moving onto bigger, better things? will toast become a distant memory, written in textbooks of the future as foods us simpler generations ate? who's to say! society is constantly moving, changing, evolving, ideas being built upon, improved upon, theories being proven or disproven. are we but a blip on the timeline? sure, our names may not be remembered, but that's not the point. you can make a change. you can make a difference. you can make the world better, even if you don't know yet. and the first step is to go for it. even if you are afraid of failure. going back to the example of toasters, do you know off the top of your head who invented them? no? have you used one? probably. so, even if you don't remember my name, if I was able to help awnser your question, that is enough. if I was able to help you, even in the slightest way, this could push you to continue with scratch and not give up after the program crashes, and maybe one day learn other programming languages and change the world. everything is a cause and effect reaction, new inventions lead to the technology of the future, and even as the generations of the past are slowly forgotten, their influence lives on to this day, affecting how the world eventually turned out and how it will be for generations to come.
and, without toasters, we wouldn't have toast.
and, without toasters, we wouldn't have toast.
- duckboycool
- Scratcher
1000+ posts
Critical Bug in SVG Renderer, Update Scratch App ASAP!
It's probably worth reinstalling either way, but definitely do so if you have Microsoft Store version. Should I just uninstall it or do I have to update it?
Last edited by duckboycool (Oct. 21, 2020 13:59:31)
I used to be active on the forums, but I have mostly moved past Scratch. I still do check my Scratch messages, so if you'd like to talk to me, just leave a comment on my profile. My main project on Scratch was Cookie Clicker, but my newest project is Snake Snake, a game based off of Snake, but with two snakes, and you can play either singleplayer or multiplayer.
- mtech22
- Scratcher
1000+ posts
Critical Bug in SVG Renderer, Update Scratch App ASAP!
I don't have the Windows Store version, so I just uninstalled it. I'm not currently using that device so if i have to reinstall it I will but if it's not I won'tIt's probably worth reinstalling either way, but definitely do so if you have Windows Store version. Should I just uninstall it or do I have to update it?
aII toasters toast toast, but what happens when there are no longer toasters being produced? will their technology simply become obsolete, with humans moving onto bigger, better things? will toast become a distant memory, written in textbooks of the future as foods us simpler generations ate? who's to say! society is constantly moving, changing, evolving, ideas being built upon, improved upon, theories being proven or disproven. are we but a blip on the timeline? sure, our names may not be remembered, but that's not the point. you can make a change. you can make a difference. you can make the world better, even if you don't know yet. and the first step is to go for it. even if you are afraid of failure. going back to the example of toasters, do you know off the top of your head who invented them? no? have you used one? probably. so, even if you don't remember my name, if I was able to help awnser your question, that is enough. if I was able to help you, even in the slightest way, this could push you to continue with scratch and not give up after the program crashes, and maybe one day learn other programming languages and change the world. everything is a cause and effect reaction, new inventions lead to the technology of the future, and even as the generations of the past are slowly forgotten, their influence lives on to this day, affecting how the world eventually turned out and how it will be for generations to come.
and, without toasters, we wouldn't have toast.
and, without toasters, we wouldn't have toast.
- 4096bits
- Scratcher
1000+ posts
Critical Bug in SVG Renderer, Update Scratch App ASAP!
Okay, now I'm scared. I just uninstalled the Microsoft Store version of Scratch Desktop and installed the direct download version.
I'll go ahead and warn people about this in my sig too when I have time to do so. i've updated my signature to spread the word. this is pretty dangerous stuff here apple, you're kinda like a superhero for finding all this!
- -Accio-
- Scratcher
1000+ posts
Critical Bug in SVG Renderer, Update Scratch App ASAP!
Is this still an issue if you only open your own projects with the app?
Hi There! I'm -Accio-
Currently in university studying chemistry.
Be High Contrast
- apple502j
- Scratcher
1000+ posts
Critical Bug in SVG Renderer, Update Scratch App ASAP!
Only when you open bad projects.
署名は、ディスカッションフォーラムの機能である。署名は、その人のすべての投稿の下部に追加される。署名は、BBCodeで記述できる。 署名を追加/変更/削除したい場合は、ディスカッションフォーラムのホームの一番下に行き、「Change your signature」を押す。署名の大きさは150pxまでである。これには、改行、画像を含む。- Japanese Scratch-Wiki 「署名」
- MeowyTitan08
- Scratcher
1000+ posts
Critical Bug in SVG Renderer, Update Scratch App ASAP!
Oh dear… The play store won't let me update to that version yet. I just uninstalled it.
remember to wash your pineapple♥️
- Bluebatstar
- Scratcher
1000+ posts
Critical Bug in SVG Renderer, Update Scratch App ASAP!
I don't get it… what's going on? I did update the app, this sounds important, but I don't get it.
- Jeffalo
- Scratcher
1000+ posts
Critical Bug in SVG Renderer, Update Scratch App ASAP!
someone sends you an sb3 (or you open a mallicous sb3) and somehow using some weird stuff it can run mallicous code that can do bad things I don't get it… what's going on? I did update the app, this sounds important, but I don't get it.
disclaimer: sometimes my posts are pretty critical of the scratch team (especially my older ones), but i really do scratch & scratch team. jvvg made a short essay thing about the scratch team, which is a pretty good read, if you want a different perspective for the scratch team's actions.
- Bluebatstar
- Scratcher
1000+ posts
Critical Bug in SVG Renderer, Update Scratch App ASAP!
Ok, I get it. I only use my own projects offline, but it's still a risk, nonetheless. I've updated now.someone sends you an sb3 (or you open a mallicous sb3) and somehow using some weird stuff it can run mallicous code that can do bad things I don't get it… what's going on? I did update the app, this sounds important, but I don't get it.
- GachaN0nsense
- Scratcher
500+ posts
Critical Bug in SVG Renderer, Update Scratch App ASAP!
I'll spread word. How did you even find out about this?
MOVING TO @NotDucki_
- Vercte
- Scratcher
500+ posts
Critical Bug in SVG Renderer, Update Scratch App ASAP!
They're a bug hunter for websites, AKA a white-hat hacker. I'll spread word. How did you even find out about this?
not that active anymore
_________
Seriously. Period. I'm not that active anymore. I've recently realised that Scratch, while good for basic programing, is just not that versatile for making games. So, I've moved on to engines like Roblox and Stencyl, which are entirely different from scratch. Farewell.
- DC382
- Scratcher
1000+ posts
Critical Bug in SVG Renderer, Update Scratch App ASAP!
What would the effects of said bug be?
My browser / operating system: ChromeOS (Linux) 13421.53.0, Chrome 86.0.4240.77, No Flash version detected.
Also, am I safe?
My browser / operating system: ChromeOS (Linux) 13421.53.0, Chrome 86.0.4240.77, No Flash version detected.
Also, am I safe?
RIP Permaspike: 14/7/2018 - 4/4/2023
How did you learn JS? *compares it to having to do a 10 kilometer dash with burning legos*
How did you learn HTML? *compares to pick-a-door levels in SMM2*
How did you learn CSS? Mozilla and Stack Overflow our lords and saviors.
How did you learn JSON? Plants Versus Zombies 2. Not even kidding.
I study game design in my free time, and things I noticed about the cream of the crop indies:
- Consistent God-Tier Music (Cuphead, Undertale, PVZ, Pizza Tower, Super Meat Boy (Danny B. Soundtrack))
- Unique Visuals (Cuphead's entire existence, PVZ1, Pizza Tower, Super Meat Boy, Untitled Goose Game, Hollow Knight)
- Excellent Gameplay (Cuphead, PVZ, Pizza Tower, Meat Boy, A Hat In Time, Spelunky, BTD, Hollow Knight)
- Modding Support (Pizza Tower, A Hat In Time, Terraria (Calamity music is Awesome))
- Replayability (BTD, Pizza Tower, Terraria, Super Meat Boy)
- Challenge (SUPER MEAT BOY, Hollow Knight)
(I haven't played Stardew Valley, so I cant state my view, and my ' key almost doesnt work.)
- bywok
- Scratcher
100+ posts
Critical Bug in SVG Renderer, Update Scratch App ASAP!
I haven't opened any .sb3 files other than my own… but I'll spread word
- pokeshah
- Scratcher
100+ posts
Critical Bug in SVG Renderer, Update Scratch App ASAP!
what this sounds serious though wat is going on
- 4096bits
- Scratcher
1000+ posts
Critical Bug in SVG Renderer, Update Scratch App ASAP!
I believe once you load any malicious Scratch 3 file in to any Scratch editor, code can be executed, which can be used to harm your computer. What would the effects of said bug be?
- GoboSnack
- Scratcher
100+ posts
Critical Bug in SVG Renderer, Update Scratch App ASAP!
Let's spread the word!
h̴̡͉̫̲̙̭̯̦̲͉̩̯͔̟̥͓̜̽̊̊̅̑̏̐͗́̑̈́̂́͋̈́̀͘͜͠͝͠͝e̶̡̢̢̛̛̛͚̺̰͉͓̪̹̯̳͖̲͎͇̻͖̳͙̫͕͔͇̮͓̫̰̥̩͉̱̝̝̼͓̘͓̅̍̉̉́̉̆͐̓͂͆̌͂͋̔̿́͒́͗͌͌̂̈̿́̀͑̆̈͑͛̿̀͌͘͘̚̚͜͜͝͝͝͠͝ͅͅͅḽ̸̭͉͇̿̽͌̚l̸̨̡̡̥̗͔̰̲̹̱͔̱̥̘̜̜̺̙̤̫̪̫̠̝̻̰̫̯̯̠̬͎͕͕͙̅̑̄̓̈́̏̂̀͒̂̈̽̊̓̃̀̽͒̆̕͜͜ǫ̸̧̡̡̧̛̘̝̖̭̪͚̺͚͕̱͚͎͔̥̯̻͖͔͓͙̻͔̍̃̃͐̐͊̆̆͜͜͠͠ ̸̡̢̨̢̛̙͈̼̯̤͙̝̠̮̞̭̦̩̳̼̻̝̙̻͙̠̩̱̟͎͙͓̐̄̆͐̑̆̓̉́͐̊͒͐̓̽͌̉͗̈̊̅̈͗̅͛́͊̏̂̐̒̓̈́̅̔̚̚͝͠͝ḫ̷̨̡̳̜̦̩͔̥̩̦͖͇͚͈̲̙̯̭̘̺̻̒̾͋̽͑̈́̎̔̏̄̊̀̏̓̏̽̃͊̽͆̇̾̓̋́̈́̌̈́̕͘̚͘͜͜͝͝͝o̸̧̡̧̙̺͔̝̭͖̼̱̙̮͔̖̫̬̜̬̠͓̭̲̟̭̞̤̺͇̻̤͛̌̋̓̇̾̔͊͋̇̾̑̽̇͑́̊͋̇́̽̔̄̅͑̍̽̇̾̈́̅̽̈́̽̋̓͐̏̇͌͒͘̕͜͜w̷̧̨̨̧̖̪̣͖̦͕̭̼̘͓͖̭̩̫͓̰̬̪̫͖̮͕̺̺͉̫̭̯̩̲̙̣̘̰͕̯̺̙̓̋̒̑͆̊͊̏̑́̽̇͌̎̌͜ͅͅ ̷̡̛̫̫̩̭̦͖̣͖̱͖͙͖̠̣̝̝̹̻͍̬̤̺̻̳̹̥̄̓̉̽̄̐̐͌͛̊̽̈̿́̓͗͛́̈͒̐̉͆̆͜͝a̷̢̨͚̖̞͚̹͇̤̹͖̩͍̩̮̘͉̝̳͕͚̦̳̫͉̳̗̪̗̲̟͕̭̠̪̔̎̍̉̉́͐̋̋̇̄͆̄̂͛̚͜͠ͅr̶̙̝̹͙̥̟̿̂͊̓͒͐̐̉́͋͋́͒͊͛͊̉͛͒͊͗̈̒̓͆͊́͐̐̈́͒͛̈́͌̂̋̅̆͘͝͝ę̶̧͇̦͚̬͎̘̪̳͉͖̫͕͉̬̮̠̠̝̪͙̝̝̪͔̟̦͔̹̻͓͖̫͈̤͎̰̒̓̇̿͂̃̍̂̈̏̿͠ͅ ̴̧̛̛̛̜̺͕̥̞͍̺͈͉̼͈̰͎̱̩̪͈͈͕͍͇̦̺̮̝̼͎̤̞̽̒̃̾̿͛̀͌̀̉͂̇͐̿̎̌̕̕̚̕͜͝͝y̶̨̧̼̫͚̯̩͙̫̱͕͖̹͖͓̬̪̙̘̟͖͉̠̜̲̲̫̞̖̥̱̹͚̫̠͓͓̱̣̞̾̂̆͜a̵̧̧̫̬͕̪̤̙̳̣̹̝̮̗̞̲̞͚̱̻͙͕̘͉̼̽̉́̒͑̏̀̆͗̋͛̉̏̂̀̀̓̌̎̎̍̋̈̃̏̑̃̀̃̓̾̽͗͠͝͝ͅ?̴̨̨̢̨̨͓̻̮̳̼̻̜͇̳̟̣̜̤̬̫̺̖̜̱̺̼̞̖̝̦͔̯͚̟͍̱̊̌̽̀́̑̈̉͑͒̀͛̅̀͒̑̉̄̍̓͐̿͌̑̈́͐̍̎̊̇͒̄̊̈̽͘̚͠ͅͅ h̴̡͉̫̲̙̭̯̦̲͉̩̯͔̟̥͓̜̽̊̊̅̑̏̐͗́̑̈́̂́͋̈́̀͘͜͠͝͠͝e̶̡̢̢̛̛̛͚̺̰͉͓̪̹̯̳͖̲͎͇̻͖̳͙̫͕͔͇̮͓̫̰̥̩͉̱̝̝̼͓̘͓̅̍̉̉́̉̆͐̓͂͆̌͂͋̔̿́͒́͗͌͌̂̈̿́̀͑̆̈͑͛̿̀͌͘͘̚̚͜͜͝͝͝͠͝ͅͅͅḽ̸̭͉͇̿̽͌̚l̸̨̡̡̥̗͔̰̲̹̱͔̱̥̘̜̜̺̙̤̫̪̫̠̝̻̰̫̯̯̠̬͎͕͕͙̅̑̄̓̈́̏̂̀͒̂̈̽̊̓̃̀̽͒̆̕͜͜ǫ̸̧̡̡̧̛̘̝̖̭̪͚̺͚͕̱͚͎͔̥̯̻͖͔͓͙̻͔̍̃̃͐̐͊̆̆͜͜͠͠ ̸̡̢̨̢̛̙͈̼̯̤͙̝̠̮̞̭̦̩̳̼̻̝̙̻͙̠̩̱̟͎͙͓̐̄̆͐̑̆̓̉́͐̊͒͐̓̽͌̉͗̈̊̅̈͗̅͛́͊̏̂̐̒̓̈́̅̔̚̚͝͠͝ḫ̷̨̡̳̜̦̩͔̥̩̦͖͇͚͈̲̙̯̭̘̺̻̒̾͋̽͑̈́̎̔̏̄̊̀̏̓̏̽̃͊̽͆̇̾̓̋́̈́̌̈́̕͘̚͘͜͜͝͝͝o̸̧̡̧̙̺͔̝̭͖̼̱̙̮͔̖̫̬̜̬̠͓̭̲̟̭̞̤̺͇̻̤͛̌̋̓̇̾̔͊͋̇̾̑̽̇͑́̊͋̇́̽̔̄̅͑̍̽̇̾̈́̅̽̈́̽̋̓͐̏̇͌͒͘̕͜͜w̷̧̨̨̧̖̪̣͖̦͕̭̼̘͓͖̭̩̫͓̰̬̪̫͖̮͕̺̺͉̫̭̯̩̲̙̣̘̰͕̯̺̙̓̋̒̑͆̊͊̏̑́̽̇͌̎̌͜ͅͅ ̷̡̛̫̫̩̭̦͖̣͖̱͖͙͖̠̣̝̝̹̻͍̬̤̺̻̳̹̥̄̓̉̽̄̐̐͌͛̊̽̈̿́̓͗͛́̈͒̐̉͆̆͜͝a̷̢̨͚̖̞͚̹͇̤̹͖̩͍̩̮̘͉̝̳͕͚̦̳̫͉̳̗̪̗̲̟͕̭̠̪̔̎̍̉̉́͐̋̋̇̄͆̄̂͛̚͜͠ͅr̶̙̝̹͙̥̟̿̂͊̓͒͐̐̉́͋͋́͒͊͛͊̉͛͒͊͗̈̒̓͆͊́͐̐̈́͒͛̈́͌̂̋̅̆͘͝͝ę̶̧͇̦͚̬͎̘̪̳͉͖̫͕͉̬̮̠̠̝̪͙̝̝̪͔̟̦͔̹̻͓͖̫͈̤͎̰̒̓̇̿͂̃̍̂̈̏̿͠ͅ ̴̧̛̛̛̜̺͕̥̞͍̺͈͉̼͈̰͎̱̩̪͈͈͕͍͇̦̺̮̝̼͎̤̞̽̒̃̾̿͛̀͌̀̉͂̇͐̿̎̌̕̕̚̕͜͝͝y̶̨̧̼̫͚̯̩͙̫̱͕͖̹͖͓̬̪̙̘̟͖͉̠̜̲̲̫̞̖̥̱̹͚̫̠͓͓̱̣̞̾̂̆͜a̵̧̧̫̬͕̪̤̙̳̣̹̝̮̗̞̲̞͚̱̻͙͕̘͉̼̽̉́̒͑̏̀̆͗̋͛̉̏̂̀̀̓̌̎̎̍̋̈̃̏̑̃̀̃̓̾̽͗͠͝͝ͅ?̴̨̨̢̨̨͓̻̮̳̼̻̜͇̳̟̣̜̤̬̫̺̖̜̱̺̼̞̖̝̦͔̯͚̟͍̱̊̌̽̀́̑̈̉͑͒̀͛̅̀͒̑̉̄̍̓͐̿͌̑̈́͐̍̎̊̇͒̄̊̈̽͘̚͠ͅͅ
- Discussion Forums
- » Advanced Topics
- » Critical Bug in SVG Renderer, Update Scratch App ASAP!