[Maintenance] Security Integer overflow in table parsing extension leads to heap memory corruption
Maintenance
Change log
- Added:
- Changed:
- Deprecated:
- Removed:
- Fixed:
- Security: Upgrade of commonmarker to mitigate Integer overflow in table parsing extension leads to heap memory corruption
Notes
Description Impact
An integer overflow in cmark-gfm's table row parsing (table.c:row_from_string) may lead to heap memory corruption when parsing tables who's marker rows contain more than UINT16_MAX columns. The impact of this heap corruption ranges from Information Leak to Arbitrary Code Execution depending on how and where cmark-gfm is used.
If cmark-gfm is used for rendering remote user controlled markdown, this vulnerability may lead to Remote Code Execution (RCE) in applications employing affected versions of the cmark-gfm library. Patches
This vulnerability has been patched in the following cmark-gfm releases:
0.29.0.gfm.3
0.28.3.gfm.21Workarounds
The vulnerability exists in the table markdown extensions of cmark-gfm. Disabling the table extension will prevent this vulnerability from being triggered. Acknowledgements
We would like to thank Felix Wilhelm of Google's Project Zero for reporting this vulnerability For more information
If you have any questions or comments about this advisory:
Open an issue in cmark-gfm