GHSA-8hqf-xjwp-p67v

Source
https://github.com/advisories/GHSA-8hqf-xjwp-p67v
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/03/GHSA-8hqf-xjwp-p67v/GHSA-8hqf-xjwp-p67v.json
Aliases
Published
2023-03-28T14:40:29Z
Modified
2023-11-08T04:12:12.562387Z
Summary
Comrak vulnerable to quadratic runtime issues when parsing Markdown (GHSL-2023-047)
Details

Impact

A range of quadratic parsing issues from cmark/cmark-gfm are also present in Comrak. These can be used to craft denial-of-service attacks on services that use Comrak to parse Markdown.

Patches

0.17.0 contains fixes to known quadratic parsing issues.

Workarounds

n/a

References

  • https://github.com/commonmark/cmark/issues/255
  • https://github.com/commonmark/cmark/issues/389
  • https://github.com/commonmark/cmark/issues/373
  • https://github.com/commonmark/cmark/issues/299
  • https://github.com/commonmark/cmark/issues/388
  • https://github.com/commonmark/cmark/issues/284
  • https://github.com/commonmark/cmark/issues/218
  • https://github.com/commonmark/cmark/pull/232
  • https://github.com/github/cmark-gfm/blob/c32ef78bae851cb83b7ad52d0fbff880acdcd44a/test/pathological_tests.py#L63-L65
  • https://github.com/github/cmark-gfm/blob/c32ef78bae851cb83b7ad52d0fbff880acdcd44a/test/pathological_tests.py#L87-L89
References

Affected packages

crates.io / comrak

Package

Name
comrak

Affected ranges

Type
SEMVER
Events
Introduced
0The exact introduced commit is unknown
Fixed
0.17.0