From 4ffc4a836a703c5593ef94a3ff4ba38e375b9263 Mon Sep 17 00:00:00 2001 From: Tyler Date: Fri, 6 Oct 2023 08:54:23 -0400 Subject: [PATCH] Add commonmark vulnerabilities --- latest-id.txt | 2 +- vulns/commonmark/RSEC-2023-6.yaml | 40 +++++++++++++++++++++ vulns/commonmark/RSEC-2023-7.yaml | 42 ++++++++++++++++++++++ vulns/commonmark/RSEC-2023-8.yaml | 59 +++++++++++++++++++++++++++++++ 4 files changed, 142 insertions(+), 1 deletion(-) create mode 100644 vulns/commonmark/RSEC-2023-6.yaml create mode 100644 vulns/commonmark/RSEC-2023-7.yaml create mode 100644 vulns/commonmark/RSEC-2023-8.yaml diff --git a/latest-id.txt b/latest-id.txt index 582d9a8..a519294 100644 --- a/latest-id.txt +++ b/latest-id.txt @@ -1 +1 @@ -2023-5 +2023-8 diff --git a/vulns/commonmark/RSEC-2023-6.yaml b/vulns/commonmark/RSEC-2023-6.yaml new file mode 100644 index 0000000..905064f --- /dev/null +++ b/vulns/commonmark/RSEC-2023-6.yaml @@ -0,0 +1,40 @@ +id: RSEC-2023-6 +details: The commonmark package, specifically in its dependency on GitHub Flavored Markdown before version 0.29.0.gfm.1, + has a vulnerability related to time complexity. Parsing certain crafted markdown tables can take O(n * n) time, + leading to potential Denial of Service attacks. This issue does not affect the upstream cmark project and has been + fixed in version 0.29.0.gfm.1. +affected: +- package: + name: commonmark + ecosystem: CRAN + ranges: + - type: ECOSYSTEM + events: + - introduced: "0.2" + - fixed: "1.8" + versions: + - "0.2" + - "0.4" + - "0.5" + - "0.6" + - "0.7" + - "0.8" + - "0.9" + - "1.0" + - "1.1" + - "1.2" + - "1.4" + - "1.5" + - "1.6" + - "1.7" +references: +- type: WEB + url: https://security-tracker.debian.org/tracker/CVE-2020-5238 +- type: WEB + url: https://github.com/r-lib/commonmark/issues/13 +- type: WEB + url: https://github.com/r-lib/commonmark/pull/18 +aliases: +- CVE-2020-5238 +modified: "2023-10-06T05:00:00.600Z" +published: "2023-10-06T05:00:00.600Z" diff --git a/vulns/commonmark/RSEC-2023-7.yaml b/vulns/commonmark/RSEC-2023-7.yaml new file mode 100644 index 0000000..8837c97 --- /dev/null +++ b/vulns/commonmark/RSEC-2023-7.yaml @@ -0,0 +1,42 @@ +id: RSEC-2023-7 +details: cmark-gfm, GitHub's extended CommonMark library, has multiple vulnerabilities. Versions prior to 0.29.0.gfm.6 + suffer from a polynomial time complexity issue in the autolink extension, causing denial of service. Also, versions + before 0.29.0.gfm.3 and 0.28.3.gfm.21 contain an integer overflow in table row parsing, leading to heap corruption and + potential Arbitrary Code Execution. Patches are available in versions 0.29.0.gfm.6, 0.29.0.gfm.3, and 0.28.3.gfm.21. + Mitigations include upgrading or disabling affected extensions. +affected: +- package: + name: commonmark + ecosystem: CRAN + ranges: + - type: ECOSYSTEM + events: + - introduced: "0.2" + - fixed: "1.8" + versions: + - "0.2" + - "0.4" + - "0.5" + - "0.6" + - "0.7" + - "0.8" + - "0.9" + - "1.0" + - "1.1" + - "1.2" + - "1.4" + - "1.5" + - "1.6" + - "1.7" +references: +- type: WEB + url: https://security-tracker.debian.org/tracker/CVE-2022-39209 +- type: WEB + url: https://security-tracker.debian.org/tracker/CVE-2022-24724 +- type: WEB + url: https://github.com/r-lib/commonmark/pull/18 +aliases: +- CVE-2022-39209 +- CVE-2022-24724 +modified: "2023-10-06T05:00:00.600Z" +published: "2023-10-06T05:00:00.600Z" diff --git a/vulns/commonmark/RSEC-2023-8.yaml b/vulns/commonmark/RSEC-2023-8.yaml new file mode 100644 index 0000000..db00d10 --- /dev/null +++ b/vulns/commonmark/RSEC-2023-8.yaml @@ -0,0 +1,59 @@ +id: RSEC-2023-8 +details: cmark-gfm, GitHub's extended version of the CommonMark library in C, suffers from multiple vulnerabilities + affecting versions prior to 0.29.0.gfm.12. Various issues, including polynomial time complexity in multiple components + like autolink extension, handle_close_bracket, and parsing of certain text patterns (leading `>`, `-`, `_`), may lead + to unbounded resource exhaustion and denial of service. An out-of-bounds read in the `validate_protocol` function was + also identified but is considered less harmful. Patches are available in versions 0.29.0.gfm.7, 0.29.0.gfm.10, and + 0.29.0.gfm.12. Upgrading is advised, and users unable to upgrade should validate input from trusted sources. +affected: +- package: + name: commonmark + ecosystem: CRAN + ranges: + - type: ECOSYSTEM + events: + - introduced: "0.2" + versions: + - "0.2" + - "0.4" + - "0.5" + - "0.6" + - "0.7" + - "0.8" + - "0.9" + - "1.0" + - "1.1" + - "1.2" + - "1.4" + - "1.5" + - "1.6" + - "1.7" + - "1.8" + - "1.9" +references: +- type: WEB + url: https://security-tracker.debian.org/tracker/CVE-2023-37463 +- type: WEB + url: https://security-tracker.debian.org/tracker/CVE-2023-26485 +- type: WEB + url: https://security-tracker.debian.org/tracker/CVE-2023-24824 +- type: WEB + url: https://security-tracker.debian.org/tracker/CVE-2023-22486 +- type: WEB + url: https://security-tracker.debian.org/tracker/CVE-2023-22485 +- type: WEB + url: https://security-tracker.debian.org/tracker/CVE-2023-22484 +- type: WEB + url: https://security-tracker.debian.org/tracker/CVE-2023-22483 +- type: WEB + url: https://github.com/r-lib/commonmark/issues/26 +aliases: +- CVE-2023-37463 +- CVE-2023-26485 +- CVE-2023-24824 +- CVE-2023-22486 +- CVE-2023-22485 +- CVE-2023-22484 +- CVE-2023-22483 +modified: "2023-10-06T05:00:00.600Z" +published: "2023-10-06T05:00:00.600Z"