Discuss Scratch

DancingNekoGirl
Scratcher
1000+ posts

Critical Bug in SVG Renderer, Update Scratch App ASAP!

thatfoodorange wrote:

mutedpeep wrote:

Oh. Um what about mobile users? i use google chrome for ipad
yeah i'm using phone sometimes
Well, I think if you have the app you should update it anyways. If you're using the site, then you're good.

Last edited by DancingNekoGirl (Oct. 26, 2020 22:41:35)

Chiroyce
Scratcher
1000+ posts

Critical Bug in SVG Renderer, Update Scratch App ASAP!

Using the website with any browser is fine, the bug has been fixed in the website.
Scratcher-402
Scratcher
100+ posts

Critical Bug in SVG Renderer, Update Scratch App ASAP!

Does this apply to Scratux?
Chiroyce
Scratcher
1000+ posts

Critical Bug in SVG Renderer, Update Scratch App ASAP!

Scratcher-402 wrote:

Does this apply to Scratux?

It applies to the offline editor and the app of Scratch 3.0. Older versions and the website aren’t affected.
apple502j
Scratcher
1000+ posts

Critical Bug in SVG Renderer, Update Scratch App ASAP!

Scratcher-402 wrote:

Does this apply to Scratux?
Yes. Scratux is not updated since May.
mrCamelCase
Scratcher
100+ posts

Critical Bug in SVG Renderer, Update Scratch App ASAP!

Only just now found this, hopefully no problems?

Edit: It seems like you're only in serious trouble if you've downloaded and executed a .sb3 file you didn't make. Since I only work on my stuff I'm probably fine, but I've updated anyways. Thanks for the heads up!

Last edited by mrCamelCase (Oct. 27, 2020 13:29:58)

MrFluffyPenguins
Scratcher
1000+ posts

Critical Bug in SVG Renderer, Update Scratch App ASAP!

yeah this seems like an issue. i hope the ST makes an announcement about it!

Last edited by MrFluffyPenguins (Oct. 27, 2020 13:50:33)

hat_lab
Scratcher
94 posts

Critical Bug in SVG Renderer, Update Scratch App ASAP!

Is 2.0 okay?
mtech22
Scratcher
1000+ posts

Critical Bug in SVG Renderer, Update Scratch App ASAP!

hat_lab wrote:

Is 2.0 okay?
yes, only 3.0 is affected
Andwhydoyouseegam
Scratcher
23 posts

Critical Bug in SVG Renderer, Update Scratch App ASAP!

Critical Cross-site Scripting in Scratch
Cross-site scripting vulnerability was discovered in the SVG rendering engine for Scratch. This can lead to arbitrary code execution when a crafted project is opened on Scratch app (including Scratch Desktop).
This affects Scratch website, all versions of Scratch Desktop and other Scratch 3.0 mods or any applications using Scratch SVG Renderer. The attack is likely to be also possible on Scratch app for Android/Chromebook. A similar problem was also discovered on Forkphorus implementation of the rendering engine.

How to Prevent the Attack
・Scratch website: already patched.
・Scratch Desktop/Scratch app for Windows/macOS: DOWNLOAD AND INSTALL LATEST VERSION 3.17.1. Microsoft Store version is not updated, so use direct download.
・Mods: Pull latest commits of scratch-gui, delete node_modules and package-lock.json and run “npm install” again. If you are editing scratch-svg-renderer, a patch file is available: https://gist.github.com/apple502j/b1a4af80050175d0a23021a38b28ba57 (you need to run “npm install” after applying)
・Forkphorus website: already patched.
・Forkphorus mods: Pull latest commits.

Technical details
・CVE: CVE-2020-7750
・CVSS score: 9.6(Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
・CWE: CWE-79/Improper Neutralization of Input During Web Page Generation

How to get Security Update
Microsoft Store version users? Uninstall and switch to direct download!

macOS App Store
・It should be auto-updated.

Direct download
・Check https://scratch.mit.edu/download for details.
wgyt
Scratcher
1000+ posts

Critical Bug in SVG Renderer, Update Scratch App ASAP!

mutedpeep wrote:

apple502j wrote:

snip
Oh. Um what about mobile users? i use google chrome for ipad
If you are using the scratch website you should be fine, if you use the mobile app, update to 3.17.1
thatfoodorange
Scratcher
9 posts

Critical Bug in SVG Renderer, Update Scratch App ASAP!

DancingNekoGirl wrote:

thatfoodorange wrote:

mutedpeep wrote:

Oh. Um what about mobile users? i use google chrome for ipad
yeah i'm using phone sometimes
Well, I think if you have the app you should update it anyways. If you're using the site, then you're good.
i'm using the site

Last edited by thatfoodorange (Oct. 27, 2020 22:10:35)

sealifefriend
Scratcher
500+ posts

Critical Bug in SVG Renderer, Update Scratch App ASAP!

…. huh…..
MeIzAwezomeDede
Scratcher
1000+ posts

Critical Bug in SVG Renderer, Update Scratch App ASAP!

*laughs in 2.0*
Really though this seems pretty bad
lambodhar
Scratcher
41 posts

Critical Bug in SVG Renderer, Update Scratch App ASAP!

you sure of this?
Krokophant
Scratcher
100+ posts

Critical Bug in SVG Renderer, Update Scratch App ASAP!

So why is this dangerous?
DancingNekoGirl
Scratcher
1000+ posts

Critical Bug in SVG Renderer, Update Scratch App ASAP!

Krokophant wrote:

So why is this dangerous?
Well, you can get all sorts of things, like viruses. Oh, and there's the risk of your personal data being stolen.
Andwhydoyouseegam
Scratcher
23 posts

Critical Bug in SVG Renderer, Update Scratch App ASAP!

when I receive money [ v]
play sound lol [ v] until done
thatfoodorange
Scratcher
9 posts

Critical Bug in SVG Renderer, Update Scratch App ASAP!

Andwhydoyouseegam wrote:

when I receive money [ v]
play sound lol [ v] until done
play sound [lol v] until done
Andwhydoyouseegam
Scratcher
23 posts

Critical Bug in SVG Renderer, Update Scratch App ASAP!

thatfoodorange wrote:

Andwhydoyouseegam wrote:

when I receive money [ v]
play sound lol [ v] until done
play sound [lol v] until done

Powered by DjangoBB