Bug 1110214 (CVE-2014-3743)

Summary: CVE-2014-3743 marked: multiple content injection vulnerabilities
Product: [Other] Security Response Reporter: Vasyl Kaigorodov <vkaigoro>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: jrusnack, tchollingsworth
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: marked 0.3.1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-18 04:32:18 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1110215, 1110216    
Bug Blocks:    

Description Vasyl Kaigorodov 2014-06-17 09:14:00 UTC 
Marked comes with an option to sanitize user output to help protect against content injection attacks.

...
sanitize: true
...

Even if this option is set, marked is vulnerable to content injection in multiple locations if untrusted user input is allowed to be provided into marked and that output is passed to the browser.

Injection is possible in two locations

 - gfm codeblocks (language)
 - javascript url's

External References:

 https://nodesecurity.io/advisories/marked_multiple_content_injection_vulnerabilities
 http://www.securityfocus.com/bid/67356
 http://permalink.gmane.org/gmane.comp.security.oss.general/12787
Comment 1 Vasyl Kaigorodov 2014-06-17 09:14:34 UTC 
Created marked tracking bugs for this issue:

Affects: fedora-all [bug 1110215]
Affects: epel-6 [bug 1110216]
Comment 2 T.C. Hollingsworth 2014-06-18 04:32:18 UTC 
This is already resolved by the 0.3.2 update on 2014-04-19.