461321 – CVE-2022-39209 ghostwriter: cmark-gfm: Unbounded resource exhaustion may lead to denial of service.

Bug 461321 - CVE-2022-39209 ghostwriter: cmark-gfm: Unbounded resource exhaustion may lead to denial of service.

Summary: CVE-2022-39209 ghostwriter: cmark-gfm: Unbounded resource exhaustion may lead...

Status:	CLOSED FIXED

Alias:	None

Product:	ghostwriter
Classification:	Applications
Component:	general (show other bugs)
Version:	unspecified
Platform:	Other Linux

Importance:	NOR normal
Target Milestone:	---
Assignee:	megan.conkle

URL:
Keywords:

Depends on:
Blocks:

Reported:	2022-11-02 15:26 UTC by Unknown
Modified:	2023-04-23 00:44 UTC (History)
CC List:	0 users

See Also:
Latest Commit:
Version Fixed In:	23.04.0
Sentry Crash Report:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description Unknown 2022-11-02 15:26:15 UTC

SUMMARY

In cmark-gfm versions prior to 0.29.0.gfm.6 a polynomial time complexity issue in cmark-gfm's autolink extension may lead to unbounded resource exhaustion and subsequent denial of service.

More information:
https://github.com/github/cmark-gfm/security/advisories/GHSA-cgh3-p57x-9q7q

Upstream fix:
https://github.com/github/cmark-gfm/commit/9d57d8a23142b316282bdfc954cb0ecda40a8655

Comment 1 Unknown 2022-11-02 15:31:13 UTC

Fedora downstream bug report: https://bugzilla.redhat.com/show_bug.cgi?id=2128046
Fixed version: 0.29.0.gfm.6 or higher.

Comment 2 megan.conkle 2022-11-05 23:41:53 UTC

cmark-gfm 0.29.0.gfm.6 is already included on the master branch.  Thanks!