Bug 1213317 (CVE-2023-37463)

Summary: VUL-0: CVE-2023-37463: cmark,python-cmarkgfm,ghc-cmark-gfm: polynomial time complexity issues
Product: [Novell Products] SUSE Security Incidents Reporter: Carlos López <carlos.lopez>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: daniel.garcia, dmueller, python-maintainers, security-team, stoyan.manolov
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/372448/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-37463:5.9:(AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Carlos López 2023-07-14 08:36:24 UTC 
CVE-2023-37463

cmark-gfm is an extended version of the C reference implementation of
CommonMark, a rationalized version of Markdown syntax with a spec. Three
polynomial time complexity issues in cmark-gfm may lead to unbounded resource
exhaustion and subsequent denial of service. These vulnerabilities have been
patched in 0.29.0.gfm.12.


References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-37463
https://www.cve.org/CVERecord?id=CVE-2023-37463
https://github.com/github/cmark-gfm/releases/tag/0.29.0.gfm.12
https://github.com/github/cmark-gfm/security/advisories/GHSA-w4qg-3vf7-m9x5
Comment 1 Carlos López 2023-07-14 08:37:18 UTC 
Afected:
openSUSE:Backports:SLE-15-SP4/ghc-cmark-gfm
openSUSE:Backports:SLE-15-SP5/ghc-cmark-gfm
openSUSE:Backports:SLE-15-SP4/python-cmarkgfm
openSUSE:Backports:SLE-15-SP5/python-cmarkgfm
openSUSE:Factory/python-cmarkgfm
SUSE:ALP:Source:Standard:0.1/python-cmarkgfm

Not affected:
SUSE:SLE-15-SP4:Update/cmark
openSUSE:Factory/cmark

There's 3 relevant fixes [0] [1] [2] in the update [3].

[0] https://github.com/github/cmark-gfm/commit/1d17fa9d5af3215b9c969c66aa2fe22a1030b8a1
[1] https://github.com/github/cmark-gfm/commit/5e8ad61d0a79eb7f7b8ae0863e2ee19387f734f0
[2] https://github.com/github/cmark-gfm/commit/2c5212e0508bbf19e9c7ec9de366b792cbdd6556
[3] https://github.com/github/cmark-gfm/compare/0.29.0.gfm.11...0.29.0.gfm.12
Comment 3 OBSbugzilla Bot 2023-08-14 08:25:04 UTC 
This is an autogenerated message for OBS integration:
This bug (1213317) was mentioned in
https://build.opensuse.org/request/show/1103806 Factory / python-cmarkgfm
Comment 5 Dirk Mueller 2023-08-15 08:58:53 UTC 
all submitted (thanks Daniel!) also submitted for SLE15.
Comment 8 Carlos López 2024-02-22 14:56:05 UTC 
Done, closing.