Bug 31885

Summary: cmark new security issue CVE-2023-22486
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, davidwhodgins, herman.viaene, mhrambo3501, surfzoid, sysadmin-bugs, tarazed25
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: cmark-0.29.0-2.mga8.src.rpm CVE: CVE-2023-22486
Status comment:
Bug Depends on:    
Bug Blocks: 31945    

Description David Walser 2023-05-06 23:42:53 CEST 
SUSE has issued an advisory on May 4:
https://lists.suse.com/pipermail/sle-security-updates/2023-May/014722.html

The issue is fixed upstream in 0.30.3:
https://github.com/commonmark/cmark/releases/tag/0.30.3
David Walser 2023-05-06 23:43:11 CEST

Status comment: (none) => Fixed upstream in 0.30.3

Comment 1 Mike Rambo 2023-05-08 19:05:17 CEST 
Updated package built for Mageia 8


Advisory:
========================

Patched cmark package fixes security vulnerability:

It was discovered that cmark incorrectly handled certain inputs. Fixes quadratic complexity in handle_close_bracket "![[]()" which may lead to a denial of service (CVE-2023-22486).

Noting that this also fixes a quadratic parsing issue with repeated <!-- that was not in a released product but which was assigned a CVE (CVE-2023-22484).


References:
https://lists.suse.com/pipermail/sle-security-updates/2023-May/014722.html
https://github.com/commonmark/cmark/releases/tag/0.30.3
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22486
========================

Updated packages in core/updates_testing:
========================
cmark-0.30.3-1.mga8.x86_64.rpm
lib64cmark0-0.30.3-1.mga8.x86_64.rpm
lib64cmark-devel-0.30.3-1.mga8.x86_64.rpm

from cmark-0.30.3-1.mga8.src.rpm

Assignee: mhrambo3501 => qa-bugs
CVE: (none) => CVE-2023-22486

David Walser 2023-05-09 00:28:11 CEST

Status comment: Fixed upstream in 0.30.3 => (none)
CC: (none) => mhrambo3501

Comment 2 Herman Viaene 2023-05-15 16:28:55 CEST 
MGA8-64 MATE on Acer Aspire 5253
No installation issues.
No wiki, no previous updates, so looking for info.
From MCC: " It also provides a command-line program (`cmark`) for parsing and rendering CommonMark documents."
Googling around what mightt be a "CommonMark document", didn't get any wiser.
Played with the command:

$ cmark --version
cmark 0.30.3 - CommonMark converter
(C) 2014-2016 John MacFarlane
$ cmark --help
Usage:   cmark [FILE*]
Options:
  --to, -t FORMAT  Specify output format (html, xml, man, commonmark, latex)
  --width WIDTH    Specify wrap width (default 0 = nowrap)
  --sourcepos      Include source position attribute
  --hardbreaks     Treat newlines as hard line breaks
  --nobreaks       Render soft line breaks as spaces
  --safe           Omit raw HTML and dangerous URLs
  --unsafe         Render raw HTML and dangerous URLs
  --smart          Use smart punctuation
  --validate-utf8  Replace invalid UTF-8 sequences with U+FFFD
  --help, -h       Print usage information
  --version        Print version

I will not object the OK if someone decides this is sufficient.

CC: (none) => herman.viaene

Comment 3 Len Lawrence 2023-05-19 13:47:06 CEST 
Neochat requires the library but deals with matters a little outside our purview:
"NeoChat is a client for Matrix, the decentralized communication protocol for instant messaging."
mkvtoolnix-gui also needs the library.  That has something to do with multiplexing in the context of building matroska files (MKV container files) which is rather too specialised for us.

Apart from following the tutorial for cmark and attempting to build an HTML document containing markdown directives there is not much we can do with this IMHO.  Might have a go at that sometime.

The packages update cleanly so I agree with Herman.

CC: (none) => tarazed25
Whiteboard: (none) => MGA8-64-OK

Comment 4 Thomas Andrews 2023-05-20 02:56:52 CEST 
Validated. Advisory in comment 1.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2023-05-21 03:21:14 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 5 Mageia Robot 2023-05-21 10:44:30 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0181.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Thomas Backlund 2023-05-21 14:13:19 CEST

Blocks: (none) => 31945

Comment 6 Eric Petit 2023-05-21 22:35:44 CEST 
Hi,
today, MGA8 update ask to remove mkvtoolnix-gui, after i canot install it back :

urpmi mkvtoolnix-gui
Le paquetage suivant ne peut pas être installé, car il dépend
de paquetage qui sont plus anciens que la version installée :
mkvtoolnix-gui-49.0.0-3.mga8

CC: (none) => surfzoid

Comment 7 Dave Hodgins 2023-05-21 23:56:27 CEST 
Fix is in progress. See bug 31945