Bug 2128044 (CVE-2022-39209)

Summary: CVE-2022-39209 cmark-gfm: Unbounded resource exhaustion may lead to denial of service
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: amackenz, amasferr, chazlett, mkudlej, petersen, tjochec, vitaly
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: cmark-gfm 0.29.0.gfm.6 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2128048, 2128050, 2139273, 2128045, 2128046, 2128047    
Bug Blocks: 2128049    

Description Guilherme de Almeida Suckevicz 2022-09-19 17:37:07 UTC
cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. In versions prior to 0.29.0.gfm.6 a polynomial time complexity issue in cmark-gfm's autolink extension may lead to unbounded resource exhaustion and subsequent denial of service. Users may verify the patch by running `python3 -c 'print("![l"* 100000 + "\n")' | ./cmark-gfm -e autolink`, which will resource exhaust on unpatched cmark-gfm but render correctly on patched cmark-gfm. This vulnerability has been patched in 0.29.0.gfm.6. Users are advised to upgrade. Users unable to upgrade should disable the use of the autolink extension.

Reference:
https://github.com/github/cmark-gfm/security/advisories/GHSA-cgh3-p57x-9q7q

Upstream patch:
https://github.com/github/cmark-gfm/commit/9d57d8a23142b316282bdfc954cb0ecda40a8655

Comment 1 Guilherme de Almeida Suckevicz 2022-09-19 17:37:33 UTC
Created ghc-cmark-gfm tracking bugs for this issue:

Affects: fedora-all [bug 2128045]


Created ghostwriter tracking bugs for this issue:

Affects: fedora-all [bug 2128046]


Created python-cmarkgfm tracking bugs for this issue:

Affects: epel-8 [bug 2128048]
Affects: fedora-all [bug 2128047]

Comment 3 Jens Petersen 2022-09-21 09:39:20 UTC
For ghc-cmark-gfm I opened https://github.com/kivikakk/cmark-gfm-hs/issues/24