CVE-2022-39209

cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. In versions prior to 0.29.0.gfm.6 a polynomial time complexity issue in cmark-gfm's autolink extension may lead to unbounded resource exhaustion and subsequent denial of service. Users may verify the patch by running `python3 -c 'print("![l"* 100000 + "\n")' | ./cmark-gfm -e autolink`, which will resource exhaust on unpatched cmark-gfm but render correctly on patched cmark-gfm. This vulnerability has been patched in 0.29.0.gfm.6. Users are advised to upgrade. Users unable to upgrade should disable the use of the autolink extension.

cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. In versions prior to 0.29.0.gfm.6 a polynomial time complexity issue in cmark-gfm's autolink extension may lead to unbounded resource exhaustion and subsequent denial of service. Users may verify the patch by running `python3 -c 'print("![l"* 100000 + "\n")' | ./cmark-gfm -e autolink`, which will resource exhaust on unpatched cmark-gfm but render correctly on patched cmark-gfm. This vulnerability has been patched in 0.29.0.gfm.6. Users are advised to upgrade. Users unable to upgrade should disable the use of the autolink extension.

cmark-gfm es la bifurcación de GitHub de cmark, una biblioteca de análisis y renderización de CommonMark y un programa en C. En versiones anteriores a 0.29.0.gfm.6, un problema de complejidad de tiempo polinómico en la extensión de autolink de cmark-gfm puede conllevar a un agotamiento de recursos sin límites y la consiguiente denegación de servicio. Los usuarios pueden verificar el parche al ejecutar "python3 -c "print("![l "* 100000 + "\n")' | ./cmark-gfm -e autolink", que agotará los recursos en cmark-gfm sin parchear, pero será mostrado correctamente en cmark-gfm parcheado. Esta vulnerabilidad ha sido parcheada en versión 0.29.0.gfm.6. Es recomendado a usuarios actualizar. Los usuarios que no puedan actualizares deberán deshabilitar el uso de la extensión autolink