github cmark-gfm 未加控制的资源消耗（资源穷尽）

admin

0
文章

0
评论

2023-11-30 06:00:04 Ali_nvd 来源：ZONE.CI 全球网 0 阅读模式

中危 github cmark-gfm 未加控制的资源消耗（资源穷尽）

CVE编号

CVE-2022-39209

利用情况

暂无

补丁情况

官方补丁

披露时间

2022-09-16

漏洞描述

cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. In versions prior to 0.29.0.gfm.6 a polynomial time complexity issue in cmark-gfm's autolink extension may lead to unbounded resource exhaustion and subsequent denial of service. Users may verify the patch by running `python3 -c 'print("![l"* 100000 + "\n")' | ./cmark-gfm -e autolink`, which will resource exhaust on unpatched cmark-gfm but render correctly on patched cmark-gfm. This vulnerability has been patched in 0.29.0.gfm.6. Users are advised to upgrade. Users unable to upgrade should disable the use of the autolink extension.

解决建议

建议您更新当前系统或软件至最新版，完成漏洞的修复。

参考链接
https://en.wikipedia.org/wiki/Time_complexity
https://github.com/github/cmark-gfm/commit/9d57d8a23142b316282bdfc954cb0ecda40a8655
https://github.com/github/cmark-gfm/security/advisories/GHSA-cgh3-p57x-9q7q
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...

受影响软件情况

1
#	类型	厂商	产品	版本	影响面
	运行在以下环境
	应用	github	cmark-gfm	*		Up to (excluding) 0.29.0.gfm.6
	运行在以下环境
	系统	debian_10	cmark-gfm	*		Up to (including) 0.28.3.gfm.19-3
	运行在以下环境
	系统	debian_11	cmark-gfm	*		Up to (including) 0.29.0.gfm.0-6
	运行在以下环境
	系统	debian_12	cmark-gfm	*		Up to (excluding) 0.29.0.gfm.6-2
	运行在以下环境
	系统	debian_sid	cmark-gfm	*		Up to (excluding) 0.29.0.gfm.6-2
	运行在以下环境
	系统	fedora_35	ghc-cmark-gfm-devel	*		Up to (excluding) 0.2.5-1.fc35
	运行在以下环境
	系统	fedora_36	ghc-cmark-gfm-devel	*		Up to (excluding) 0.2.5-1.fc36
	运行在以下环境
	系统	fedora_37	ghc-cmark-gfm-devel	*		Up to (excluding) 0.2.5-1.fc37
	运行在以下环境
	系统	fedora_39	ghostwriter-debugsource	*		Up to (excluding) 23.03.90-2.fc39