Security News > 2022 > April > Popular Ruby Asciidoc toolkit patched against critical vuln – get the update now!

To create lists you need to add special tags at the start and end of the list, and then special tags at the start and end of each item, which makes proofreading harder than it needs to be, like this.

Worse, your marked-up text only works on websites, or in browser-like windows, so you need a plethora of conversion tools anyway if you also want to render your documents into plain ASCII, or some other widely-used format such as PDF, RTF or DOCX. Worst, not all HTML markup can readily be converted into other formats, so you need to remember which HTML constructs you're not allowed to use, in case you end up with a document where most, but not all, of the content can be rendered in other types of file.

Ruby, a popular web coding environment, has numerous support tools, including one called asciidoc-include-ext, short for Asciidoctor Include Extension.

The asciidoc-include-ext code turned out to have a command injection vulnerability, whereby a deliberately misplaced backslash in a user-supplied file could trick the library into running remote commands directly instead of simply referencing a URL. The bug was found earlier this week by security researcher Joern Schneeweisz of GitLab, and has been assigned the bug identifier CVE-2022-24803.

If the URL part is deliberately split into two lines using Ruby's line continuation character, such that the first line is a shell command and the second is a plain URL, then only the second line is checked to see if it passes the "Valid URL" test, which it does.

The line continuation character means that the data ultimately gets processed as if it were one line, including executing any shellcode added to the first line.

News URL

https://nakedsecurity.sophos.com/2022/04/08/popular-ruby-asciidoc-toolkit-patched-against-critical-vuln-get-the-update-now/