Bug 461321

Summary: CVE-2022-39209 ghostwriter: cmark-gfm: Unbounded resource exhaustion may lead to denial of service.
Product: [Applications] ghostwriter Reporter: Unknown <null>
Component: generalAssignee: megan.conkle
Status: CLOSED FIXED    
Severity: normal    
Priority: NOR    
Version First Reported In: unspecified   
Target Milestone: ---   
Platform: Other   
OS: Linux   
Latest Commit: Version Fixed/Implemented In: 23.04.0
Sentry Crash Report:

Description Unknown 2022-11-02 15:26:15 UTC 
SUMMARY

In cmark-gfm versions prior to 0.29.0.gfm.6 a polynomial time complexity issue in cmark-gfm's autolink extension may lead to unbounded resource exhaustion and subsequent denial of service.

More information:
https://github.com/github/cmark-gfm/security/advisories/GHSA-cgh3-p57x-9q7q

Upstream fix:
https://github.com/github/cmark-gfm/commit/9d57d8a23142b316282bdfc954cb0ecda40a8655
Comment 1 Unknown 2022-11-02 15:31:13 UTC 
Fedora downstream bug report: https://bugzilla.redhat.com/show_bug.cgi?id=2128046
Fixed version: 0.29.0.gfm.6 or higher.
Comment 2 megan.conkle 2022-11-05 23:41:53 UTC 
cmark-gfm 0.29.0.gfm.6 is already included on the master branch.  Thanks!