cmark-gfm: resource exhaustion due to quadratic complexity in parser

cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. A polynomial time complexity issue in cmark-gfm may lead to unbounded resource exhaustion and subsequent denial of service, due to quadratic complexity issues when parsing text which leads with either large numbers of > or - characters.

The Haskell cmark-gfm package bundles the C sources and was affected by this issue. This fix was released in the upstream C package at version 0.29.0.gfm.10. Version 0.2.6 of the Haskell package adopted the fix (moving from 0.29.0.gfm.6 to 0.29.0.gfm.13). Packages that depend on cmark-gfm should update to 0.2.6 or later.

Users unable to update should avoid processing data from untrusted sources or validate the input with other tools before using cmark-gfm to parse it.

Pandoc < 2.10.1 depended on cmark-gfm and could be affected by this issue.