Bug 1207437 (CVE-2023-22483) - VUL-0: CVE-2023-22483: ghc-cmark-gfm: cmark-gfm: quadratic complexity bugs may lead to a denial of service
Summary: VUL-0: CVE-2023-22483: ghc-cmark-gfm: cmark-gfm: quadratic complexity bugs ma...
Status: IN_PROGRESS
Alias: CVE-2023-22483
Product: openSUSE Distribution
Classification: openSUSE
Component: Security (show other bugs)
Version: Leap 15.4
Hardware: Other Other
: P3 - Medium : Normal (vote)
Target Milestone: ---
Assignee: Peter Simons
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/354904/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-01-24 07:54 UTC by Thomas Leroy
Modified: 2023-02-07 16:50 UTC (History)
0 users

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Leroy 2023-01-24 07:54:14 UTC 
CVE-2023-22483

cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library
and program in C. Versions prior to 0.29.0.gfm.7 are subject to several
polynomial time complexity issues in cmark-gfm that may lead to unbounded
resource exhaustion and subsequent denial of service. Various commands, when
piped to cmark-gfm with large values, cause the running time to increase
quadratically. These vulnerabilities have been patched in version 0.29.0.gfm.7.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-22483
https://www.cve.org/CVERecord?id=CVE-2023-22483
https://github.com/github/cmark-gfm/security/advisories/GHSA-29g3-96g3-jg6c
Comment 1 Peter Simons 2023-02-07 16:50:06 UTC 
Reported upstream at https://github.com/kivikakk/cmark-gfm-hs/issues/30. My preferred solution would be to un-bundle the C code from the Haskell library, if that is possible. Otherwise, we'll probably go for applying a patch to fix the issue.