CVE-2015-5147: Stack Overflow via header_anchor()

July 14, 2015

The package redcarpet contains a flaw that allows a stack overflow. This flaw exists because the header_anchor() function in html.c uses variable length arrays (VLA) without any range checking. This may allow a remote attacker to execute arbitrary code.

References

seclists.org/oss-sec/2015/q2/818
github.com/vmg/redcarpet/commit/2cee777c1e5babe8a1e2683d31ea75cc4afe55fb

Code Behaviors & Features

Detect and mitigate CVE-2015-5147 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →