Bug 1208973 (CVE-2023-26302) - VUL-0: CVE-2023-26302: markdown-it-py: Denial of service in the command line interface due to invalid UTF-8 characters as input
Summary: VUL-0: CVE-2023-26302: markdown-it-py: Denial of service in the command line ...
Status: RESOLVED FIXED
Alias: CVE-2023-26302
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Minor
Target Milestone: ---
Assignee: Sebastian Wagner
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/358060/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-03-06 12:58 UTC by Cathy Hu
Modified: 2024-06-10 19:27 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Cathy Hu 2023-03-06 12:58:30 UTC 
CVE-2023-26302

Denial of service could be caused to the command line interface of
markdown-it-py, before v2.2.0, if an attacker was allowed to use invalid UTF-8
characters as input.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-26302
https://bugzilla.redhat.com/show_bug.cgi?id=2175697
https://www.cve.org/CVERecord?id=CVE-2023-26302
https://github.com/executablebooks/markdown-it-py/commit/53ca3e9c2b9e9b295f6abf7f4ad2730a9b70f68c
Comment 1 Cathy Hu 2023-03-06 12:58:42 UTC 
Affected:
- openSUSE:Factory/python-markdown-it-py
Comment 2 Sebastian Wagner 2023-03-09 20:39:02 UTC 
Duplicate of 1208973?
Comment 3 Cathy Hu 2023-03-13 08:24:47 UTC 
1208973 is this bug?
Comment 4 Sebastian Wagner 2023-03-13 08:31:02 UTC 
Sorry, I meant that https://bugzilla.opensuse.org/show_bug.cgi?id=1208974 and https://bugzilla.opensuse.org/show_bug.cgi?id=1208973 are possibly duplicates
Comment 5 Cathy Hu 2023-03-13 08:40:54 UTC 
Ah, okay no, these are different cves with different fixes.

This one (CVE-2023-26302): https://github.com/executablebooks/markdown-it-py/commit/53ca3e9c2b9e9b295f6abf7f4ad2730a9b70f68c

The other one (CVE-2023-26303, bnc#1208974): https://github.com/executablebooks/markdown-it-py/commit/ae03c6107dfa18e648f6fdd1280f5b89092d5d49