Search for packages
| purl | pkg:deb/debian/python-cmarkgfm@0.4.2-1 |
| Next non-vulnerable version | 2024.11.20-1 |
| Latest non-vulnerable version | 2024.11.20-1 |
| Risk | 4.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-3t6s-s89g-1ff3
Aliases: CVE-2023-22485 |
cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. In versions prior 0.29.0.gfm.7, a crafted markdown document can trigger an out-of-bounds read in the `validate_protocol` function. We believe this bug is harmless in practice, because the out-of-bounds read accesses `malloc` metadata without causing any visible damage.This vulnerability has been patched in 0.29.0.gfm.7. |
Affected by 0 other vulnerabilities. |
|
VCID-6wj2-mkne-xyhd
Aliases: CVE-2023-37463 |
Affected by 0 other vulnerabilities. |
|
|
VCID-n8rw-e9kt-77em
Aliases: CVE-2023-22484 |
cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. Versions prior to 0.29.0.gfm.7 are subject to a polynomial time complexity issue in cmark-gfm that may lead to unbounded resource exhaustion and subsequent denial of service. This vulnerability has been patched in 0.29.0.gfm.7. |
Affected by 0 other vulnerabilities. |
|
VCID-nnsf-661k-duf5
Aliases: CVE-2022-24724 |
cmark-gfm is GitHub's extended version of the C reference implementation of CommonMark. Prior to versions 0.29.0.gfm.3 and 0.28.3.gfm.21, an integer overflow in cmark-gfm's table row parsing `table.c:row_from_string` may lead to heap memory corruption when parsing tables who's marker rows contain more than UINT16_MAX columns. The impact of this heap corruption ranges from Information Leak to Arbitrary Code Execution depending on how and where `cmark-gfm` is used. If `cmark-gfm` is used for rendering remote user controlled markdown, this vulnerability may lead to Remote Code Execution (RCE) in applications employing affected versions of the `cmark-gfm` library. This vulnerability has been patched in the following cmark-gfm versions 0.29.0.gfm.3 and 0.28.3.gfm.21. A workaround is available. The vulnerability exists in the table markdown extensions of cmark-gfm. Disabling the table extension will prevent this vulnerability from being triggered. |
Affected by 8 other vulnerabilities. |
|
VCID-px6s-pf9p-yfem
Aliases: CVE-2020-5238 |
The table extension in GitHub Flavored Markdown before version 0.29.0.gfm.1 takes O(n * n) time to parse certain inputs. An attacker could craft a markdown table which would take an unreasonably long time to process, causing a denial of service. This issue does not affect the upstream cmark project. The issue has been fixed in version 0.29.0.gfm.1. |
Affected by 8 other vulnerabilities. |
|
VCID-r3h9-dpmf-sfdq
Aliases: CVE-2023-24824 |
cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. A polynomial time complexity issue in cmark-gfm may lead to unbounded resource exhaustion and subsequent denial of service. This CVE covers quadratic complexity issues when parsing text which leads with either large numbers of `>` or `-` characters. This issue has been addressed in version 0.29.0.gfm.10. Users are advised to upgrade. Users unable to upgrade should validate that their input comes from trusted sources. |
Affected by 0 other vulnerabilities. |
|
VCID-rbf4-3fdn-p3dg
Aliases: CVE-2023-22486 |
Affected by 0 other vulnerabilities. |
|
|
VCID-tadv-58mt-m7ex
Aliases: CVE-2023-22483 |
cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. Versions prior to 0.29.0.gfm.7 are subject to several polynomial time complexity issues in cmark-gfm that may lead to unbounded resource exhaustion and subsequent denial of service. Various commands, when piped to cmark-gfm with large values, cause the running time to increase quadratically. These vulnerabilities have been patched in version 0.29.0.gfm.7. |
Affected by 0 other vulnerabilities. |
|
VCID-tt1e-rhy4-vyf7
Aliases: CVE-2023-26485 |
cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. A polynomial time complexity issue in cmark-gfm may lead to unbounded resource exhaustion and subsequent denial of service. This CVE covers quadratic complexity issues when parsing text which leads with either large numbers of `_` characters. This issue has been addressed in version 0.29.0.gfm.10. Users are advised to upgrade. Users unable to upgrade should validate that their input comes from trusted sources. ### Impact A polynomial time complexity issue in cmark-gfm may lead to unbounded resource exhaustion and subsequent denial of service. ### Proof of concept ``` $ ~/cmark-gfm$ python3 -c 'pad = "_" * 100000; print(pad + "." + pad, end="")' | time ./build/src/cmark-gfm --to plaintext ``` Increasing the number 10000 in the above commands causes the running time to increase quadratically. ### Patches This vulnerability have been patched in 0.29.0.gfm.10. ### Note on cmark and cmark-gfm XXX: TBD [cmark-gfm](https://github.com/github/cmark-gfm) is a fork of [cmark](https://github.com/commonmark/cmark) that adds the GitHub Flavored Markdown extensions. The two codebases have diverged over time, but share a common core. These bugs affect both `cmark` and `cmark-gfm`. ### Credit We would like to thank @gravypod for reporting this vulnerability. ### References https://en.wikipedia.org/wiki/Time_complexity ### For more information If you have any questions or comments about this advisory: * Open an issue in [github/cmark-gfm](https://github.com/github/cmark-gfm) |
Affected by 0 other vulnerabilities. |
|
VCID-xpbx-rea4-1kej
Aliases: CVE-2022-39209 |
cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. In versions prior to 0.29.0.gfm.6 a polynomial time complexity issue in cmark-gfm's autolink extension may lead to unbounded resource exhaustion and subsequent denial of service. Users may verify the patch by running `python3 -c 'print("![l"* 100000 + "\n")' | ./cmark-gfm -e autolink`, which will resource exhaust on unpatched cmark-gfm but render correctly on patched cmark-gfm. This vulnerability has been patched in 0.29.0.gfm.6. Users are advised to upgrade. Users unable to upgrade should disable the use of the autolink extension. |
Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-06-13T02:12:42.222361+00:00 | Debian Importer | Affected by | VCID-rbf4-3fdn-p3dg | https://security-tracker.debian.org/tracker/data/json | 38.6.0 |
| 2026-06-13T02:06:09.839801+00:00 | Debian Importer | Affected by | VCID-tt1e-rhy4-vyf7 | https://security-tracker.debian.org/tracker/data/json | 38.6.0 |
| 2026-06-13T02:03:50.600654+00:00 | Debian Importer | Affected by | VCID-3t6s-s89g-1ff3 | https://security-tracker.debian.org/tracker/data/json | 38.6.0 |
| 2026-06-13T01:48:46.663815+00:00 | Debian Importer | Affected by | VCID-xpbx-rea4-1kej | https://security-tracker.debian.org/tracker/data/json | 38.6.0 |
| 2026-06-13T01:43:21.820650+00:00 | Debian Importer | Affected by | VCID-n8rw-e9kt-77em | https://security-tracker.debian.org/tracker/data/json | 38.6.0 |
| 2026-06-13T01:37:38.228519+00:00 | Debian Importer | Affected by | VCID-r3h9-dpmf-sfdq | https://security-tracker.debian.org/tracker/data/json | 38.6.0 |
| 2026-06-13T00:58:42.728365+00:00 | Debian Importer | Affected by | VCID-nnsf-661k-duf5 | https://security-tracker.debian.org/tracker/data/json | 38.6.0 |
| 2026-06-13T00:53:13.915306+00:00 | Debian Importer | Affected by | VCID-6wj2-mkne-xyhd | https://security-tracker.debian.org/tracker/data/json | 38.6.0 |
| 2026-06-13T00:45:46.875576+00:00 | Debian Importer | Affected by | VCID-tadv-58mt-m7ex | https://security-tracker.debian.org/tracker/data/json | 38.6.0 |
| 2026-06-13T00:28:11.086153+00:00 | Debian Importer | Affected by | VCID-px6s-pf9p-yfem | https://security-tracker.debian.org/tracker/data/json | 38.6.0 |