SB2023082054 - Multiple vulnerabilities in Comrak
Published: August 20, 2023
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 vulnerabilities.
1) Improper handling of exceptional conditions (CVE-ID: CVE-2023-28631)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper handling of errors when parsing AST. A remote attacker can send specially crafted input and perform a denial of service (DoS) attack.
2) Resource exhaustion (CVE-ID: CVE-2023-28626)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
Remediation
Install update from vendor's website.
References
- https://github.com/kivikakk/comrak/commit/9ff5f8df0ac951f5742d22a72c39b89a15f56639
- https://github.com/kivikakk/comrak/security/advisories/GHSA-5r3x-p7xx-x6q5
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PTWZWCT7KCX2KTXTLPUYZ3EHOONG4X46/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VQ3UBC7LE4VPCMZBTADIBL353CH7CPVV/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OUYME2VA555X6567H7ORIJQFN4BVGT6N/
- https://github.com/kivikakk/comrak/commit/ce795b7f471b01589f842dc09af38b025701178d
- https://github.com/kivikakk/comrak/security/advisories/GHSA-8hqf-xjwp-p67v