cmark-gfm is GitHubs extended version of the C reference implementation of CommonMark. Prior to versions 0.29.0.gfm.3 and 0.28.3.gfm.21, an integer overflow in cmark-gfms table row parsing table.c:row_from_string may lead to heap memory corruption when parsing tables whos marker rows contain more than UINT16_MAX columns. The impact of this heap corruption ranges from Information Leak to Arbitrary Code Execution depending on how and where cmark-gfm is used. If cmark-gfm is used for rendering remote user controlled markdown, this vulnerability may lead to Remote Code Execution (RCE) in applications employing affected versions of the cmark-gfm library. This vulnerability has been patched in the following cmark-gfm versions 0.29.0.gfm.3 and 0.28.3.gfm.21. A workaround is available. The vulnerability exists in the table markdown extensions of cmark-gfm. Disabling the table extension will prevent this vulnerability from being triggered.
The product performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Cmark-gfm | Github | * | 0.28.3.gfm.21 (excluding) |
| Cmark-gfm | Github | 0.28.3.gfm.21 (excluding) | 0.29.0.gfm.3 (excluding) |
| Red Hat Enterprise Linux 8 | RedHat | pandoc-0:2.0.6-6.el8_6 | * |
| Cmark-gfm | Ubuntu | impish | * |
| Cmark-gfm | Ubuntu | kinetic | * |
| Cmark-gfm | Ubuntu | lunar | * |
| Cmark-gfm | Ubuntu | mantic | * |
| Cmark-gfm | Ubuntu | trusty | * |
| Cmark-gfm | Ubuntu | xenial | * |