Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 20 Apr 2015 12:26:29 -0400 (EDT)
Subject: Re: redcarpet <=3.2.2 (and related ruby gems) allow for possible XSS via autolinking of untrusted markdown

Hash: SHA1


This appears to be a complex situation because of the various codebase
relationships, including the relationship between the
Sundown/Redcarpet codebase and the site-specific codebase for the website.

There's no doubt that there was an interesting bug found (i.e., the
"rewind into previous inline" bug) and that the bug had a real-world
impact on some Redcarpet users. However, that's not necessarily enough
to have a CVE ID.

One issue in question is "in the meantime we've hardened our HTML
postprocessor, which also eliminates this bug" in the post. This is
perhaps similar to what was mentioned about remarkable in the post.

Basically, we're not convinced that anyone should have been relying on
Redcarpet as having the security property that it would prevent XSS
attacks. In that sense, the "rewind into previous inline" bug would
not be categorized as a vulnerability. Apparently had an
unspecified HTML postprocessor that might be interpreted as having
either some responsibility or all responsibility for preventing XSS
attacks. Similarly, in the case of a PHP-based site elsewhere, the
overall site design might include both a Markdown implementation and
also HTML Purifier. Also, didn't
announce 3.2.3 as a security update. We realize that Redcarpet has a
:filter_html flag, but the level of focus toward addressing XSS seems
small compared to something like HTML Purifier, suggesting different
design goals.

So, at this point, the available information suggests categorizing as a site-specific problem on and on other sites that were relying on Redcarpet in
ways that went beyond the Redcarpet design goals. If there is other
information suggesting that the only reasonable interpretation is that
it is a Redcarpet vulnerability that must have a CVE assigned against
the Sundown/Redcarpet codebase, please let us know.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through ]
Version: GnuPG v1.4.14 (SunOS)


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.