Bug 2060662 (CVE-2022-24724)

Summary: CVE-2022-24724 cmark-gfm: possible RCE due to integer overflow
Product: [Other] Security Response Reporter: Anten Skrabec <askrabec>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: petersen, vitaly
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 2060663, 2060664, 2060665, 2060666, 2060667, 2060668, 2074997, 2074998    
Bug Blocks:    

Description Anten Skrabec 2022-03-03 23:31:40 UTC
cmark-gfm is GitHub's extended version of the C reference implementation of CommonMark. Prior to versions 0.29.0.gfm.3 and 0.28.3.gfm.21, an integer overflow in cmark-gfm's table row parsing `table.c:row_from_string` may lead to heap memory corruption when parsing tables who's marker rows contain more than UINT16_MAX columns. The impact of this heap corruption ranges from Information Leak to Arbitrary Code Execution depending on how and where `cmark-gfm` is used. If `cmark-gfm` is used for rendering remote user controlled markdown, this vulnerability may lead to Remote Code Execution (RCE) in applications employing affected versions of the `cmark-gfm` library. This vulnerability has been patched in the following cmark-gfm versions 0.29.0.gfm.3 and 0.28.3.gfm.21. A workaround is available. The vulnerability exists in the table markdown extensions of cmark-gfm. Disabling the table extension will prevent this vulnerability from being triggered.


Comment 1 Anten Skrabec 2022-03-03 23:32:56 UTC
Created ghc-cmark-gfm tracking bugs for this issue:

Affects: fedora-34 [bug 2060663]
Affects: fedora-35 [bug 2060665]

Created ghostwriter tracking bugs for this issue:

Affects: fedora-34 [bug 2060664]
Affects: fedora-35 [bug 2060666]

Comment 8 errata-xmlrpc 2022-07-18 14:30:18 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:5597 https://access.redhat.com/errata/RHSA-2022:5597