CVE-2022-39209

NameCVE-2022-39209
Descriptioncmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. In versions prior to 0.29.0.gfm.6 a polynomial time complexity issue in cmark-gfm's autolink extension may lead to unbounded resource exhaustion and subsequent denial of service. Users may verify the patch by running `python3 -c 'print("![l"* 100000 + "\n")' | ./cmark-gfm -e autolink`, which will resource exhaust on unpatched cmark-gfm but render correctly on patched cmark-gfm. This vulnerability has been patched in 0.29.0.gfm.6. Users are advised to upgrade. Users unable to upgrade should disable the use of the autolink extension.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)
Debian Bugs1020588

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
cmark-gfm (PTS)buster0.28.3.gfm.19-3vulnerable
bullseye0.29.0.gfm.0-6vulnerable
bookworm, sid0.29.0.gfm.3-3vulnerable
ghostwriter (PTS)buster1.7.4-2vulnerable
bullseye1.8.1-2vulnerable
bookworm, sid2.1.1-1vulnerable
python-cmarkgfm (PTS)buster, bullseye0.4.2-1vulnerable
bookworm, sid0.8.0-1vulnerable
r-cran-commonmark (PTS)buster1.7-1vulnerable
bullseye1.7-2vulnerable
bookworm, sid1.8.0-1vulnerable
ruby-commonmarker (PTS)buster0.17.9-1vulnerable
bullseye0.21.0-1vulnerable
bookworm, sid0.23.4-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
cmark-gfmsource(unstable)(unfixed)1020588
ghostwritersource(unstable)(unfixed)
python-cmarkgfmsource(unstable)(unfixed)
r-cran-commonmarksource(unstable)(unfixed)
ruby-commonmarkersource(unstable)(unfixed)

Notes

https://github.com/github/cmark-gfm/security/advisories/GHSA-cgh3-p57x-9q7q
https://github.com/github/cmark-gfm/commit/cfcaa0068bf319974fdec283416fcee5035c2d70 (0.29.0.gfm.6)

Search for package or bug name: Reporting problems