Closed tillea closed 2 years ago
Am Wed, Mar 09, 2022 at 06:19:44AM -0800 schrieb Jeroen Ooms:
Closed #17 via #18.
Thanks a lot. Do you plan to release a new upstream version of commonmark soon? This would simplify fixing the bugs inside the Debian package. Kind regards, Andreas.
I've submitted it to CRAN. If there are no problems with the reverse dependencies it should be up later today.
The following vulnerability was published for commonmark
CVE-2022-24724 _cmark-gfm is GitHub's extended version of the C reference implementation of CommonMark. Prior to versions 0.29.0.gfm.3 and 0.28.3.gfm.21, an integer overflow in cmark-gfm's table row parsing
table.c:row_from_string
may lead to heap memory corruption when parsing tables who's marker rows contain more than UINT16MAX columns. The impact of this heap corruption ranges from Information Leak to Arbitrary Code Execution depending on how and wherecmark-gfm
is used. Ifcmark-gfm
is used for rendering remote user controlled markdown, this vulnerability may lead to Remote Code Execution (RCE) in applications employing affected versions of thecmark-gfm
library. This vulnerability has been patched in the following cmark-gfm versions 0.29.0.gfm.3 and 0.28.3.gfm.21. A workaround is available. The vulnerability exists in the table markdown extensions of cmark-gfm. Disabling the table extension will prevent this vulnerability from being triggered.Further information
Kind regards, Andreas.