CVE-2022-39209

NameCVE-2022-39209
Descriptioncmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. In versions prior to 0.29.0.gfm.6 a polynomial time complexity issue in cmark-gfm's autolink extension may lead to unbounded resource exhaustion and subsequent denial of service. Users may verify the patch by running `python3 -c 'print("![l"* 100000 + "\n")' | ./cmark-gfm -e autolink`, which will resource exhaust on unpatched cmark-gfm but render correctly on patched cmark-gfm. This vulnerability has been patched in 0.29.0.gfm.6. Users are advised to upgrade. Users unable to upgrade should disable the use of the autolink extension.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1020588, 1034887, 1034888

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
cmark-gfm (PTS)buster0.28.3.gfm.19-3vulnerable
bullseye0.29.0.gfm.0-6vulnerable
sid, trixie, bookworm0.29.0.gfm.6-6fixed
ghostwriter (PTS)buster1.7.4-2vulnerable
bullseye1.8.1-2vulnerable
bookworm2.1.6+ds-2fixed
trixie23.04.3+ds-1fixed
sid24.12.0+ds-1fixed
python-cmarkgfm (PTS)buster, bullseye0.4.2-1vulnerable
sid, trixie, bookworm0.8.0-3vulnerable
r-cran-commonmark (PTS)buster1.7-1vulnerable
bullseye1.7-2vulnerable
bookworm1.8.1-1fixed
sid, trixie1.9.2-2fixed
ruby-commonmarker (PTS)buster0.17.9-1vulnerable
bullseye0.21.0-1vulnerable
bookworm0.23.6-1vulnerable
sid, trixie0.23.10-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
cmark-gfmsource(unstable)0.29.0.gfm.6-21020588
ghostwritersource(unstable)2.1.6+ds-1unimportant
python-cmarkgfmsource(unstable)(unfixed)1034887
r-cran-commonmarksource(unstable)1.8.1-1
ruby-commonmarkersource(unstable)(unfixed)1034888

Notes

[bookworm] - cmark-gfm <no-dsa> (Minor issue)
[bullseye] - cmark-gfm <no-dsa> (Minor issue)
[buster] - cmark-gfm <no-dsa> (Minor issue)
[bookworm] - python-cmarkgfm <no-dsa> (Minor issue)
[bullseye] - python-cmarkgfm <no-dsa> (Minor issue)
[buster] - python-cmarkgfm <no-dsa> (Minor issue)
[bookworm] - ruby-commonmarker <ignored> (Minor issue)
[bullseye] - ruby-commonmarker <no-dsa> (Minor issue)
[buster] - ruby-commonmarker <no-dsa> (Minor issue)
[bullseye] - r-cran-commonmark <no-dsa> (Minor issue)
[buster] - r-cran-commonmark <no-dsa> (Minor issue)
https://github.com/github/cmark-gfm/security/advisories/GHSA-cgh3-p57x-9q7q
https://github.com/github/cmark-gfm/commit/cfcaa0068bf319974fdec283416fcee5035c2d70 (0.29.0.gfm.6)
For ghostwriter just a hang/crash in GUI tool, no security impact
https://github.com/theacodes/cmarkgfm/commit/d6bb964c5b27ecf5deb76f0d1ce5e9274cb877ff (2022.10.27)

Search for package or bug name: Reporting problems