Out-of-bounds read In github.com/gomarkdown/markdown
Description
Markdown vulnerable to Out-of-bounds Read while parsing citations
Summary
Parsing malformed markdown input with parser that uses parser.Mmark extension could result in out-of-bounds read vulnerability.
Details
To exploit the vulnerability, parser needs to have parser.Mmark extension set. The panic occurs inside the citation.go file on the line 69 when the parser tries to access the element past its length.
PoC
package main import ( "github.com/gomarkdown/markdown" "github.com/gomarkdown/markdown/parser" ) func main() {...
$ go run main.go panic: runtime error: index out of range [1] with length 1 goroutine 1 [running]: github.com/gomarkdown/markdown/parser.citation(0x10?, {0x1400000e3f0, 0x14000141801?, 0x3}, 0x0?) /Users/demon/go/pkg/mod/github.com/gomarkdown/[email protected]/parser/citation.go:69 +0x544 github.com/gomarkdown/markdown/parser.link(0x14000152000?, {0x1400000e3f0?, 0x3?, 0x3?}, 0x14000141ad8?) /Users/demon/go/pkg/mod/github.com/gomarkdown/[email protected]/parser/inline.go:308 +0x1c0...
Impact
Denial of Service / panic
Mitigation
Update Impact
Minimal update. May introduce new vulnerabilities or breaking changes.
Ecosystem | Package | Affected version | Patched versions |
|---|---|---|---|
 go | 0.0.0-20230922105210-14b16010c2ee | ||
 debian 12 | - | ||
debian 13 | 0.0~git20231115.a660076-1 | ||
debian 14 | 0.0~git20231115.a660076-1 |
Aliases
1. 2. 3. 4. 5. 6. 7.
References
1. 2. 3.