Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 7 Apr 2015 14:11:25 -0700
From: Reed Loden <reed@...dloden.com>
To: Assign a CVE Identifier <cve-assign@...re.org>, rubysec-announce@...glegroups.com, 
	oss-security@...ts.openwall.com, ruby-security-ann@...glegroups.com
Subject: redcarpet <=3.2.2 (and related ruby gems) allow for possible XSS via
 autolinking of untrusted markdown

Title: redcarpet and related gems allow for possible XSS of untrusted
markdown if autolink extension is enabled

Date: 2015-04-07

CVE: Yet to be assigned.

Credit: Daniel LeCheminant (@...ec)

Download: https://rubygems.org/gems/redcarpet

Description: Markdown to (X)HTML parser

Fix:
https://github.com/vmg/redcarpet/commit/e5a10516d07114d582d13b9125b733008c61c242

This fix is included in Redcarpet 3.2.3.

Initial research suggests this issue affects:

* https://github.com/vmg/sundown 1.16.0 (last version before the library
was deprecated)
* https://github.com/vmg/redcarpet 3.2.2
* https://github.com/hoedown/hoedown 3.0.1

It also affects other (less popular) libraries based off of sundown,
including:

* https://github.com/benmills/robotskirt 2.7.1
* https://github.com/FSX/misaka 1.0.2
* https://github.com/chobie/php-sundown 0.3.11

Users of these libraries may be vulnerable if the autolink extension is
enabled.

More information is available at:

* http://danlec.com/blog/bug-in-sundown-and-redcarpet (excellent write-up!)
* https://hackerone.com/reports/46916

~reed

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ