Skip to content

fix(deps): Update github.com/gomarkdown/markdown digest to 5421fef [SECURITY]#14016

Merged
kodiakhq[bot] merged 1 commit intomainfrom
renovate/go-github.com/gomarkdown/markdown-vulnerability
Sep 22, 2023
Merged

fix(deps): Update github.com/gomarkdown/markdown digest to 5421fef [SECURITY]#14016
kodiakhq[bot] merged 1 commit intomainfrom
renovate/go-github.com/gomarkdown/markdown-vulnerability

Conversation

@cq-bot
Copy link
Copy Markdown
Contributor

@cq-bot cq-bot commented Sep 22, 2023

This PR contains the following updates:

Package Type Update Change
github.com/gomarkdown/markdown indirect digest 14b07df -> 5421fef

⚠ Dependency Lookup Warnings ⚠

Warnings were logged while processing this repo. Please check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2023-42821

Summary

Parsing malformed markdown input with parser that uses parser.Mmark extension could result in out-of-bounds read vulnerability.

Details

To exploit the vulnerability, parser needs to have parser.Mmark extension set. The panic occurs inside the citation.go file on the line 69 when the parser tries to access the element past its length.

https://github.com/gomarkdown/markdown/blob/7478c230c7cd3e7328803d89abe591d0b61c41e4/parser/citation.go#L69

PoC

package main

import (
	"github.com/gomarkdown/markdown"
	"github.com/gomarkdown/markdown/parser"
)

func main() {
	ext := parser.CommonExtensions |
		parser.Attributes |
		parser.OrderedListStart |
		parser.SuperSubscript |
		parser.Mmark
	p := parser.NewWithExtensions(ext)

	inp := []byte("[@​]")
	markdown.ToHTML(inp, p, nil)
}
$ go run main.go
panic: runtime error: index out of range [1] with length 1

goroutine 1 [running]:
github.com/gomarkdown/markdown/parser.citation(0x10?, {0x1400000e3f0, 0x14000141801?, 0x3}, 0x0?)
	/Users/demon/go/pkg/mod/github.com/gomarkdown/markdown@v0.0.0-20230916125811-7478c230c7cd/parser/citation.go:69 +0x544
github.com/gomarkdown/markdown/parser.link(0x14000152000?, {0x1400000e3f0?, 0x3?, 0x3?}, 0x14000141ad8?)
	/Users/demon/go/pkg/mod/github.com/gomarkdown/markdown@v0.0.0-20230916125811-7478c230c7cd/parser/inline.go:308 +0x1c0
github.com/gomarkdown/markdown/parser.(*Parser).Inline(0x14000152000, {0x102d87f48, 0x14000076180}, {0x1400000e3f0, 0x3, 0x3})
	/Users/demon/go/pkg/mod/github.com/gomarkdown/markdown@v0.0.0-20230916125811-7478c230c7cd/parser/inline.go:38 +0xb8
github.com/gomarkdown/markdown/parser.(*Parser).Parse.func1({0x102d87f48?, 0x14000076180}, 0x0?)
	/Users/demon/go/pkg/mod/github.com/gomarkdown/markdown@v0.0.0-20230916125811-7478c230c7cd/parser/parser.go:307 +0x8c
github.com/gomarkdown/markdown/ast.NodeVisitorFunc.Visit(0x140000106e0?, {0x102d87f48?, 0x14000076180?}, 0x68?)
	/Users/demon/go/pkg/mod/github.com/gomarkdown/markdown@v0.0.0-20230916125811-7478c230c7cd/ast/node.go:574 +0x38
github.com/gomarkdown/markdown/ast.Walk({0x102d87f48, 0x14000076180}, {0x102d87348, 0x140000106e0})
	/Users/demon/go/pkg/mod/github.com/gomarkdown/markdown@v0.0.0-20230916125811-7478c230c7cd/ast/node.go:546 +0x58
github.com/gomarkdown/markdown/ast.Walk({0x102d877b0, 0x14000076120}, {0x102d87348, 0x140000106e0})
	/Users/demon/go/pkg/mod/github.com/gomarkdown/markdown@v0.0.0-20230916125811-7478c230c7cd/ast/node.go:557 +0x144
github.com/gomarkdown/markdown/ast.WalkFunc(...)
	/Users/demon/go/pkg/mod/github.com/gomarkdown/markdown@v0.0.0-20230916125811-7478c230c7cd/ast/node.go:580
github.com/gomarkdown/markdown/parser.(*Parser).Parse(0x14000152000, {0x1400000e3f0?, 0x0?, 0x0?})
	/Users/demon/go/pkg/mod/github.com/gomarkdown/markdown@v0.0.0-20230916125811-7478c230c7cd/parser/parser.go:304 +0x16c
github.com/gomarkdown/markdown.Parse({0x1400000e3f0?, 0x3f?, 0x14000141e38?}, 0x102c6b43c?)
	/Users/demon/go/pkg/mod/github.com/gomarkdown/markdown@v0.0.0-20230916125811-7478c230c7cd/markdown.go:53 +0x6c
github.com/gomarkdown/markdown.ToHTML({0x1400000e3f0?, 0x0?, 0x60?}, 0x0?, {0x0, 0x0})
	/Users/demon/go/pkg/mod/github.com/gomarkdown/markdown@v0.0.0-20230916125811-7478c230c7cd/markdown.go:77 +0x30
main.main()
	/Users/demon/tools/markdown_cve_poc/main.go:17 +0x5c
exit status 2

Impact

Denial of Service / panic

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@cq-bot cq-bot added automerge Automatically merge once required checks pass security labels Sep 22, 2023
@cq-bot cq-bot added the cli label Sep 22, 2023
@kodiakhq kodiakhq bot merged commit 4cd51a9 into main Sep 22, 2023
@kodiakhq kodiakhq bot deleted the renovate/go-github.com/gomarkdown/markdown-vulnerability branch September 22, 2023 21:16
@cq-bot cq-bot mentioned this pull request Sep 22, 2023
Merged
kodiakhq bot pushed a commit that referenced this pull request Sep 26, 2023
@cq-bot
chore(main): Release cli v3.19.1 (#14014)
031cc3b 
🤖 I have created a release *beep* *boop*
---


## [3.19.1](cli-v3.19.0...cli-v3.19.1) (2023-09-26)


### Bug Fixes

* **deps:** Update github.com/gomarkdown/markdown digest to 5421fef [SECURITY] ([#14016](#14016)) ([4cd51a9](4cd51a9))
* **deps:** Update module github.com/cloudquery/cloudquery-api-go to v1.2.0 ([#14013](#14013)) ([58d9aa5](58d9aa5))
* **deps:** Update module github.com/cloudquery/plugin-sdk/v4 to v4.11.0 ([#14031](#14031)) ([ac7cdc4](ac7cdc4))

---
This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kodiakhq kodiakhq[bot] kodiakhq[bot] approved these changes

Assignees

No one assigned

Labels

automerge Automatically merge once required checks pass

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@cq-bot @renovate-bot