Описание
cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. A polynomial time complexity issue in cmark-gfm may lead to unbounded resource exhaustion and subsequent denial of service. This CVE covers quadratic complexity issues when parsing text which leads with either large numbers of `>` or `-` characters. This issue has been addressed in version 0.29.0.gfm.10. Users are advised to upgrade. Users unable to upgrade should validate that their input comes from trusted sources.
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| cmark-gfm | fixed | 0.29.0.gfm.13-1 | package | |
| cmark-gfm | ignored | bookworm | package | |
| cmark-gfm | no-dsa | bullseye | package | |
| cmark-gfm | no-dsa | buster | package | |
| python-cmarkgfm | fixed | 2024.11.20-1 | package | |
| python-cmarkgfm | no-dsa | bookworm | package | |
| python-cmarkgfm | no-dsa | bullseye | package | |
| python-cmarkgfm | no-dsa | buster | package | |
| r-cran-commonmark | fixed | 1.9.1-1 | package | |
| r-cran-commonmark | ignored | bookworm | package | |
| r-cran-commonmark | no-dsa | bullseye | package | |
| r-cran-commonmark | no-dsa | buster | package | |
| ruby-commonmarker | fixed | 0.23.10-1 | package | |
| ruby-commonmarker | ignored | bookworm | package | |
| ruby-commonmarker | no-dsa | bullseye | package | |
| ruby-commonmarker | no-dsa | buster | package |
Примечания
https://github.com/github/cmark-gfm/security/advisories/GHSA-66g8-4hjf-77xh
https://github.com/github/cmark-gfm/commit/2300c1bd2c8226108885bf019655c4159cf26b59 (0.29.0.gfm.10)
https://github.com/theacodes/cmarkgfm/commit/acf473a51a9dc3a4fd6d6a4b30e4d80c94d91d4a (2024.1.14)
r-cran-commonmark: https://github.com/r-lib/commonmark/commit/969e27ea29dce1c2d7ab9b9909640bb4643d460f (v1.9.1)
EPSS
Связанные уязвимости
cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. A polynomial time complexity issue in cmark-gfm may lead to unbounded resource exhaustion and subsequent denial of service. This CVE covers quadratic complexity issues when parsing text which leads with either large numbers of `>` or `-` characters. This issue has been addressed in version 0.29.0.gfm.10. Users are advised to upgrade. Users unable to upgrade should validate that their input comes from trusted sources.
cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. A polynomial time complexity issue in cmark-gfm may lead to unbounded resource exhaustion and subsequent denial of service. This CVE covers quadratic complexity issues when parsing text which leads with either large numbers of `>` or `-` characters. This issue has been addressed in version 0.29.0.gfm.10. Users are advised to upgrade. Users unable to upgrade should validate that their input comes from trusted sources.
cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. A polynomial time complexity issue in cmark-gfm may lead to unbounded resource exhaustion and subsequent denial of service. This CVE covers quadratic complexity issues when parsing text which leads with either large numbers of `>` or `-` characters. This issue has been addressed in version 0.29.0.gfm.10. Users are advised to upgrade. Users unable to upgrade should validate that their input comes from trusted sources.
EPSS