Source: cmark-gfm X-Debbugs-CC: team.org Severity: important Tags: security Hi, The following vulnerabilities were published for cmark-gfm. CVE-2023-22483[0]: | cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and | rendering library and program in C. Versions prior to 0.29.0.gfm.7 are | subject to several polynomial time complexity issues in cmark-gfm that | may lead to unbounded resource exhaustion and subsequent denial of | service. Various commands, when piped to cmark-gfm with large values, | cause the running time to increase quadratically. These | vulnerabilities have been patched in version 0.29.0.gfm.7. https://github.com/github/cmark-gfm/security/advisories/GHSA-29g3-96g3-jg6c CVE-2023-22484[1]: | cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and | rendering library and program in C. Versions prior to 0.29.0.gfm.7 are | subject to a polynomial time complexity issue in cmark-gfm that may | lead to unbounded resource exhaustion and subsequent denial of | service. This vulnerability has been patched in 0.29.0.gfm.7. https://github.com/github/cmark-gfm/security/advisories/GHSA-24f7-9frr-5h2r CVE-2023-22485[2]: | cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and | rendering library and program in C. In versions prior 0.29.0.gfm.7, a | crafted markdown document can trigger an out-of-bounds read in the | `validate_protocol` function. We believe this bug is harmless in | practice, because the out-of-bounds read accesses `malloc` metadata | without causing any visible damage.This vulnerability has been patched | in 0.29.0.gfm.7. https://github.com/github/cmark-gfm/security/advisories/GHSA-c944-cv5f-hpvr CVE-2023-22486[3]: | cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and | rendering library and program in C. Versions prior to 0.29.0.gfm.7 | contain a polynomial time complexity issue in handle_close_bracket | that may lead to unbounded resource exhaustion and subsequent denial | of service. This vulnerability has been patched in 0.29.0.gfm.7. https://github.com/github/cmark-gfm/security/advisories/GHSA-r572-jvj2-3m8p If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-22483 https://www.cve.org/CVERecord?id=CVE-2023-22483 [1] https://security-tracker.debian.org/tracker/CVE-2023-22484 https://www.cve.org/CVERecord?id=CVE-2023-22484 [2] https://security-tracker.debian.org/tracker/CVE-2023-22485 https://www.cve.org/CVERecord?id=CVE-2023-22485 [3] https://security-tracker.debian.org/tracker/CVE-2023-22486 https://www.cve.org/CVERecord?id=CVE-2023-22486 Please adjust the affected versions in the BTS as needed.
Created python-cmarkgfm tracking bugs for this issue: Affects: fedora-all [bug 2179399]
*** Bug 2179401 has been marked as a duplicate of this bug. ***