Headline
CVE-2022-24724: Build software better, together
cmark-gfm is GitHub’s extended version of the C reference implementation of CommonMark. Prior to versions 0.29.0.gfm.3 and 0.28.3.gfm.21, an integer overflow in cmark-gfm’s table row parsing table.c:row_from_string may lead to heap memory corruption when parsing tables who’s marker rows contain more than UINT16_MAX columns. The impact of this heap corruption ranges from Information Leak to Arbitrary Code Execution depending on how and where cmark-gfm is used. If cmark-gfm is used for rendering remote user controlled markdown, this vulnerability may lead to Remote Code Execution (RCE) in applications employing affected versions of the cmark-gfm library. This vulnerability has been patched in the following cmark-gfm versions 0.29.0.gfm.3 and 0.28.3.gfm.21. A workaround is available. The vulnerability exists in the table markdown extensions of cmark-gfm. Disabling the table extension will prevent this vulnerability from being triggered.
Impact
An integer overflow in cmark-gfm’s table row parsing (table.c:row_from_string) may lead to heap memory corruption when parsing tables who’s marker rows contain more than UINT16_MAX columns. The impact of this heap corruption ranges from Information Leak to Arbitrary Code Execution depending on how and where cmark-gfm is used.
If cmark-gfm is used for rendering remote user controlled markdown, this vulnerability may lead to Remote Code Execution (RCE) in applications employing affected versions of the cmark-gfm library.
Patches
This vulnerability has been patched in the following cmark-gfm releases:
- 0.29.0.gfm.3
- 0.28.3.gfm.21
Workarounds
The vulnerability exists in the table markdown extensions of cmark-gfm. Disabling the table extension will prevent this vulnerability from being triggered.
Acknowledgements
We would like to thank Felix Wilhelm of Google’s Project Zero for reporting this vulnerability
For more information
If you have any questions or comments about this advisory:
- Open an issue in cmark-gfm