Описание
cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. In versions prior 0.29.0.gfm.7, a crafted markdown document can trigger an out-of-bounds read in the `validate_protocol` function. We believe this bug is harmless in practice, because the out-of-bounds read accesses `malloc` metadata without causing any visible damage.This vulnerability has been patched in 0.29.0.gfm.7.
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| cmark-gfm | fixed | 0.29.0.gfm.13-1 | package | |
| cmark-gfm | ignored | bookworm | package | |
| cmark-gfm | no-dsa | bullseye | package | |
| cmark-gfm | no-dsa | buster | package | |
| python-cmarkgfm | fixed | 2024.11.20-1 | package | |
| python-cmarkgfm | no-dsa | bookworm | package | |
| python-cmarkgfm | no-dsa | bullseye | package | |
| python-cmarkgfm | no-dsa | buster | package | |
| r-cran-commonmark | fixed | 1.9.0-1 | package | |
| r-cran-commonmark | ignored | bookworm | package | |
| r-cran-commonmark | no-dsa | bullseye | package | |
| r-cran-commonmark | no-dsa | buster | package | |
| ruby-commonmarker | fixed | 0.23.10-1 | package | |
| ruby-commonmarker | no-dsa | bookworm | package | |
| ruby-commonmarker | no-dsa | bullseye | package | |
| ruby-commonmarker | no-dsa | buster | package |
Примечания
https://github.com/github/cmark-gfm/security/advisories/GHSA-c944-cv5f-hpvr
https://github.com/theacodes/cmarkgfm/commit/acf473a51a9dc3a4fd6d6a4b30e4d80c94d91d4a (2024.1.14)
r-cran-commonmark: https://github.com/r-lib/commonmark/commit/e7a1703cf293eaa898e6f0cf07d278cfb05590eb (v1.9.0)
EPSS
Связанные уязвимости
cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. In versions prior 0.29.0.gfm.7, a crafted markdown document can trigger an out-of-bounds read in the `validate_protocol` function. We believe this bug is harmless in practice, because the out-of-bounds read accesses `malloc` metadata without causing any visible damage.This vulnerability has been patched in 0.29.0.gfm.7.
cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. In versions prior 0.29.0.gfm.7, a crafted markdown document can trigger an out-of-bounds read in the `validate_protocol` function. We believe this bug is harmless in practice, because the out-of-bounds read accesses `malloc` metadata without causing any visible damage.This vulnerability has been patched in 0.29.0.gfm.7.
EPSS