[R-pkg-team] Bug#1006760: r-cran-commonmark: CVE-2022-24724 - integer overflow prior to 0.29.0.gfm.3 and 0.28.3.gfm.21 (cmark extension)

Neil Williams codehelp at debian.org
Fri Mar 4 11:49:23 GMT 2022


Source: r-cran-commonmark
Version: 1.7-2
Severity: important
Tags: security
X-Debbugs-Cc: codehelp at debian.org, Debian Security Team <team at security.debian.org>


The following vulnerability was published for r-cran-commonmark.

https://sources.debian.org/src/r-cran-commonmark/1.7-2/src/extensions/table.c/?hl=140#L140

CVE-2022-24724[0]:
| cmark-gfm is GitHub's extended version of the C reference
| implementation of CommonMark. Prior to versions 0.29.0.gfm.3 and
| 0.28.3.gfm.21, an integer overflow in cmark-gfm's table row parsing
| `table.c:row_from_string` may lead to heap memory corruption when
| parsing tables who's marker rows contain more than UINT16_MAX columns.
| The impact of this heap corruption ranges from Information Leak to
| Arbitrary Code Execution depending on how and where `cmark-gfm` is
| used. If `cmark-gfm` is used for rendering remote user controlled
| markdown, this vulnerability may lead to Remote Code Execution (RCE)
| in applications employing affected versions of the `cmark-gfm`
| library. This vulnerability has been patched in the following cmark-
| gfm versions 0.29.0.gfm.3 and 0.28.3.gfm.21. A workaround is
| available. The vulnerability exists in the table markdown extensions
| of cmark-gfm. Disabling the table extension will prevent this
| vulnerability from being triggered.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2022-24724
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24724

Please adjust the affected versions in the BTS as needed.


-- System Information:
Debian Release: bookworm/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.16.0-1-amd64 (SMP w/16 CPU threads; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled



More information about the R-pkg-team mailing list