Impact
Two polynomial time complexity issues in cmark-gfm may lead to unbounded resource exhaustion and subsequent denial of service.
Proof of concept
Issue 1:
python3 -c 'n = 10000; print(">"*n + "a*"*n)' | cmark-gfmIssue 2:
python3 -c 'n = 10000; print(" -" * n + "x" + "\n" * n)' | cmark-gfmIncreasing the number 10000 in the above commands causes the running time to increase quadratically.
Patches
These vulnerabilities have been patched in 0.29.0.gfm.10.
Note on cmark and cmark-gfm
cmark-gfm is a fork of cmark that adds the GitHub Flavored Markdown extensions. The two codebases have diverged over time, but share a common core. These bugs affect both cmark and cmark-gfm.
Credit
We would like to thank @nwellnhof for reporting the first vulnerability (issue 1). Issue 2 was subsequently found by GitHub Security Lab.
References
https://en.wikipedia.org/wiki/Time_complexity
For more information
If you have any questions or comments about this advisory:
nwellnhof Analyst
Impact
Two polynomial time complexity issues in cmark-gfm may lead to unbounded resource exhaustion and subsequent denial of service.
Proof of concept
Issue 1:
Issue 2:
Increasing the number 10000 in the above commands causes the running time to increase quadratically.
Patches
These vulnerabilities have been patched in 0.29.0.gfm.10.
Note on cmark and cmark-gfm
cmark-gfm is a fork of cmark that adds the GitHub Flavored Markdown extensions. The two codebases have diverged over time, but share a common core. These bugs affect both
cmarkandcmark-gfm.Credit
We would like to thank @nwellnhof for reporting the first vulnerability (issue 1). Issue 2 was subsequently found by GitHub Security Lab.
References
https://en.wikipedia.org/wiki/Time_complexity
For more information
If you have any questions or comments about this advisory: