CVE-2023-26485

cmark-gfm is GitHub’s fork of cmark, a CommonMark parsing and rendering
library and program in C. A polynomial time complexity issue in cmark-gfm
may lead to unbounded resource exhaustion and subsequent denial of service.
This CVE covers quadratic complexity issues when parsing text which leads
with either large numbers of _ characters. This issue has been addressed
in version 0.29.0.gfm.10. Users are advised to upgrade. Users unable to
upgrade should validate that their input comes from trusted sources. ###
Impact A polynomial time complexity issue in cmark-gfm may lead to
unbounded resource exhaustion and subsequent denial of service. ### Proof
of concept $ ~/cmark-gfm$ python3 -c 'pad = "_" * 100000; print(pad + "." + pad, end="")' | time ./build/src/cmark-gfm --to plaintext
Increasing the number 10000 in the above commands causes the running time
to increase quadratically. ### Patches This vulnerability have been patched
in 0.29.0.gfm.10. ### Note on cmark and cmark-gfm XXX: TBD
cmark-gfm is a fork of
cmark that adds the GitHub Flavored
Markdown extensions. The two codebases have diverged over time, but share a
common core. These bugs affect both cmark and cmark-gfm. ### Credit We
would like to thank @gravypod for reporting this vulnerability. ###
References https://en.wikipedia.org/wiki/Time_complexity ### For more
information If you have any questions or comments about this advisory: *
Open an issue in github/cmark-gfm

Bugs

• <https://github.com/commonmark/cmark/issues/431&gt;