cmark-gfm is GitHub’s fork of cmark, a CommonMark parsing and rendering
library and program in C. A polynomial time complexity issue in cmark-gfm
may lead to unbounded resource exhaustion and subsequent denial of service.
This CVE covers quadratic complexity issues when parsing text which leads
with either large numbers of _
characters. This issue has been addressed
in version 0.29.0.gfm.10. Users are advised to upgrade. Users unable to
upgrade should validate that their input comes from trusted sources. ###
Impact A polynomial time complexity issue in cmark-gfm may lead to
unbounded resource exhaustion and subsequent denial of service. ### Proof
of concept $ ~/cmark-gfm$ python3 -c 'pad = "_" * 100000; print(pad + "." + pad, end="")' | time ./build/src/cmark-gfm --to plaintext
Increasing the number 10000 in the above commands causes the running time
to increase quadratically. ### Patches This vulnerability have been patched
in 0.29.0.gfm.10. ### Note on cmark and cmark-gfm XXX: TBD
cmark-gfm is a fork of
cmark that adds the GitHub Flavored
Markdown extensions. The two codebases have diverged over time, but share a
common core. These bugs affect both cmark
and cmark-gfm
. ### Credit We
would like to thank @gravypod for reporting this vulnerability. ###
References https://en.wikipedia.org/wiki/Time_complexity ### For more
information If you have any questions or comments about this advisory: *
Open an issue in github/cmark-gfm
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | cmark | < any | UNKNOWN |
ubuntu | 20.04 | noarch | cmark | < any | UNKNOWN |
ubuntu | 22.04 | noarch | cmark | < any | UNKNOWN |
ubuntu | 23.10 | noarch | cmark | < any | UNKNOWN |
ubuntu | 24.04 | noarch | cmark | < any | UNKNOWN |
ubuntu | 20.04 | noarch | cmark-gfm | < any | UNKNOWN |
ubuntu | 22.04 | noarch | cmark-gfm | < any | UNKNOWN |
ubuntu | 23.10 | noarch | cmark-gfm | < any | UNKNOWN |
ubuntu | 24.04 | noarch | cmark-gfm | < any | UNKNOWN |