CVE-2022-39209

Vulnerability Description

cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. In versions prior to 0.29.0.gfm.6 a polynomial time complexity issue in cmark-gfm's autolink extension may lead to unbounded resource exhaustion and subsequent denial of service. Users may verify the patch by running `python3 -c 'print("![l"* 100000 + "\n")' | ./cmark-gfm -e autolink`, which will resource exhaust on unpatched cmark-gfm but render correctly on patched cmark-gfm. This vulnerability has been patched in 0.29.0.gfm.6. Users are advised to upgrade. Users unable to upgrade should disable the use of the autolink extension.

CVSS Score

Affected Products

Related Weaknesses (CWE)

References

• https://en.wikipedia.org/wiki/Time_complexityThird Party Advisory
• https://github.com/github/cmark-gfm/commit/9d57d8a23142b316282bdfc954cb0ecda40a8PatchThird Party Advisory
• https://github.com/github/cmark-gfm/security/advisories/GHSA-cgh3-p57x-9q7qThird Party Advisory
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
• https://en.wikipedia.org/wiki/Time_complexityThird Party Advisory
• https://github.com/github/cmark-gfm/commit/9d57d8a23142b316282bdfc954cb0ecda40a8PatchThird Party Advisory
• https://github.com/github/cmark-gfm/security/advisories/GHSA-cgh3-p57x-9q7qThird Party Advisory
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro