Bug 1196742 (CVE-2022-24724)

Summary: VUL-0: CVE-2022-24724: ghc-cmark-gfm: possible RCE due to integer overflow
Product: [openSUSE] openSUSE Distribution Reporter: Alexander Bergmann <abergmann>
Component: SecurityAssignee: Security Team bot <security-team>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium    
Version: Leap 15.4   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/325318/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Alexander Bergmann 2022-03-04 08:26:27 UTC
rh#2060662

-----------------------------------
Only might affecting: SUSE:Factory:Head/ghc-cmark-gfm

It looks like our current version 0.2.2 is quite behind the official upstream release 0.29.0.gfm.3. So it is a bit unsure if the old version is actually affected or not.
-----------------------------------

cmark-gfm is GitHub's extended version of the C reference implementation of CommonMark. Prior to versions 0.29.0.gfm.3 and 0.28.3.gfm.21, an integer overflow in cmark-gfm's table row parsing `table.c:row_from_string` may lead to heap memory corruption when parsing tables who's marker rows contain more than UINT16_MAX columns. The impact of this heap corruption ranges from Information Leak to Arbitrary Code Execution depending on how and where `cmark-gfm` is used. If `cmark-gfm` is used for rendering remote user controlled markdown, this vulnerability may lead to Remote Code Execution (RCE) in applications employing affected versions of the `cmark-gfm` library. This vulnerability has been patched in the following cmark-gfm versions 0.29.0.gfm.3 and 0.28.3.gfm.21. A workaround is available. The vulnerability exists in the table markdown extensions of cmark-gfm. Disabling the table extension will prevent this vulnerability from being triggered.

https://github.com/github/cmark-gfm/security/advisories/GHSA-mc3g-88wq-6f4x

References:
https://bugzilla.redhat.com/show_bug.cgi?id=2060662
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-24724
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24724
https://github.com/github/cmark-gfm/security/advisories/GHSA-mc3g-88wq-6f4x