cmark-gfm - Debian Package Tracker

general

source: cmark-gfm (main)
version: 0.29.0.gfm.6-6
maintainer: Keith Packard (DMD)
arch: any
std-ver: 4.6.0.1
VCS: unknown

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

oldstable: 0.28.3.gfm.19-3
stable: 0.29.0.gfm.0-6
testing: 0.29.0.gfm.6-6
unstable: 0.29.0.gfm.6-6

versioned links

0.28.3.gfm.19-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
0.29.0.gfm.0-6: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
0.29.0.gfm.6-6: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

cmark-gfm (1 bugs: 0, 1, 0, 0)
libcmark-gfm-dev
libcmark-gfm-extensions-dev
libcmark-gfm-extensions0.29.0.gfm.6
libcmark-gfm0.29.0.gfm.6

action needed

A new upstream version is available: 0.29.0.gfm.9 high

A new upstream version 0.29.0.gfm.9 is available, you should consider packaging it.

Created: 2023-01-26 Last update: 2023-03-28 11:30

4 security issues in sid high

There are 4 open security issues in sid.

4 important issues:

CVE-2023-22483: cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. Versions prior to 0.29.0.gfm.7 are subject to several polynomial time complexity issues in cmark-gfm that may lead to unbounded resource exhaustion and subsequent denial of service. Various commands, when piped to cmark-gfm with large values, cause the running time to increase quadratically. These vulnerabilities have been patched in version 0.29.0.gfm.7.
CVE-2023-22484: cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. Versions prior to 0.29.0.gfm.7 are subject to a polynomial time complexity issue in cmark-gfm that may lead to unbounded resource exhaustion and subsequent denial of service. This vulnerability has been patched in 0.29.0.gfm.7.
CVE-2023-22485: cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. In versions prior 0.29.0.gfm.7, a crafted markdown document can trigger an out-of-bounds read in the `validate_protocol` function. We believe this bug is harmless in practice, because the out-of-bounds read accesses `malloc` metadata without causing any visible damage.This vulnerability has been patched in 0.29.0.gfm.7.
CVE-2023-22486: cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. Versions prior to 0.29.0.gfm.7 contain a polynomial time complexity issue in handle_close_bracket that may lead to unbounded resource exhaustion and subsequent denial of service. This vulnerability has been patched in 0.29.0.gfm.7.

Created: 2023-01-31 Last update: 2023-03-27 11:06

7 security issues in buster high

There are 7 open security issues in buster.

4 important issues:

CVE-2023-22483: cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. Versions prior to 0.29.0.gfm.7 are subject to several polynomial time complexity issues in cmark-gfm that may lead to unbounded resource exhaustion and subsequent denial of service. Various commands, when piped to cmark-gfm with large values, cause the running time to increase quadratically. These vulnerabilities have been patched in version 0.29.0.gfm.7.
CVE-2023-22484: cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. Versions prior to 0.29.0.gfm.7 are subject to a polynomial time complexity issue in cmark-gfm that may lead to unbounded resource exhaustion and subsequent denial of service. This vulnerability has been patched in 0.29.0.gfm.7.
CVE-2023-22485: cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. In versions prior 0.29.0.gfm.7, a crafted markdown document can trigger an out-of-bounds read in the `validate_protocol` function. We believe this bug is harmless in practice, because the out-of-bounds read accesses `malloc` metadata without causing any visible damage.This vulnerability has been patched in 0.29.0.gfm.7.
CVE-2023-22486: cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. Versions prior to 0.29.0.gfm.7 contain a polynomial time complexity issue in handle_close_bracket that may lead to unbounded resource exhaustion and subsequent denial of service. This vulnerability has been patched in 0.29.0.gfm.7.

3 issues postponed or untriaged:

CVE-2020-5238: (needs triaging) The table extension in GitHub Flavored Markdown before version 0.29.0.gfm.1 takes O(n * n) time to parse certain inputs. An attacker could craft a markdown table which would take an unreasonably long time to process, causing a denial of service. This issue does not affect the upstream cmark project. The issue has been fixed in version 0.29.0.gfm.1.
CVE-2022-24724: (needs triaging) cmark-gfm is GitHub's extended version of the C reference implementation of CommonMark. Prior to versions 0.29.0.gfm.3 and 0.28.3.gfm.21, an integer overflow in cmark-gfm's table row parsing `table.c:row_from_string` may lead to heap memory corruption when parsing tables who's marker rows contain more than UINT16_MAX columns. The impact of this heap corruption ranges from Information Leak to Arbitrary Code Execution depending on how and where `cmark-gfm` is used. If `cmark-gfm` is used for rendering remote user controlled markdown, this vulnerability may lead to Remote Code Execution (RCE) in applications employing affected versions of the `cmark-gfm` library. This vulnerability has been patched in the following cmark-gfm versions 0.29.0.gfm.3 and 0.28.3.gfm.21. A workaround is available. The vulnerability exists in the table markdown extensions of cmark-gfm. Disabling the table extension will prevent this vulnerability from being triggered.
CVE-2022-39209: (needs triaging) cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. In versions prior to 0.29.0.gfm.6 a polynomial time complexity issue in cmark-gfm's autolink extension may lead to unbounded resource exhaustion and subsequent denial of service. Users may verify the patch by running `python3 -c 'print("![l"* 100000 + "\n")' | ./cmark-gfm -e autolink`, which will resource exhaust on unpatched cmark-gfm but render correctly on patched cmark-gfm. This vulnerability has been patched in 0.29.0.gfm.6. Users are advised to upgrade. Users unable to upgrade should disable the use of the autolink extension.

Created: 2023-01-31 Last update: 2023-03-27 11:06

7 security issues in bullseye high

There are 7 open security issues in bullseye.

6 important issues:

CVE-2022-24724: cmark-gfm is GitHub's extended version of the C reference implementation of CommonMark. Prior to versions 0.29.0.gfm.3 and 0.28.3.gfm.21, an integer overflow in cmark-gfm's table row parsing `table.c:row_from_string` may lead to heap memory corruption when parsing tables who's marker rows contain more than UINT16_MAX columns. The impact of this heap corruption ranges from Information Leak to Arbitrary Code Execution depending on how and where `cmark-gfm` is used. If `cmark-gfm` is used for rendering remote user controlled markdown, this vulnerability may lead to Remote Code Execution (RCE) in applications employing affected versions of the `cmark-gfm` library. This vulnerability has been patched in the following cmark-gfm versions 0.29.0.gfm.3 and 0.28.3.gfm.21. A workaround is available. The vulnerability exists in the table markdown extensions of cmark-gfm. Disabling the table extension will prevent this vulnerability from being triggered.
CVE-2022-39209: cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. In versions prior to 0.29.0.gfm.6 a polynomial time complexity issue in cmark-gfm's autolink extension may lead to unbounded resource exhaustion and subsequent denial of service. Users may verify the patch by running `python3 -c 'print("![l"* 100000 + "\n")' | ./cmark-gfm -e autolink`, which will resource exhaust on unpatched cmark-gfm but render correctly on patched cmark-gfm. This vulnerability has been patched in 0.29.0.gfm.6. Users are advised to upgrade. Users unable to upgrade should disable the use of the autolink extension.
CVE-2023-22483: cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. Versions prior to 0.29.0.gfm.7 are subject to several polynomial time complexity issues in cmark-gfm that may lead to unbounded resource exhaustion and subsequent denial of service. Various commands, when piped to cmark-gfm with large values, cause the running time to increase quadratically. These vulnerabilities have been patched in version 0.29.0.gfm.7.
CVE-2023-22484: cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. Versions prior to 0.29.0.gfm.7 are subject to a polynomial time complexity issue in cmark-gfm that may lead to unbounded resource exhaustion and subsequent denial of service. This vulnerability has been patched in 0.29.0.gfm.7.
CVE-2023-22485: cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. In versions prior 0.29.0.gfm.7, a crafted markdown document can trigger an out-of-bounds read in the `validate_protocol` function. We believe this bug is harmless in practice, because the out-of-bounds read accesses `malloc` metadata without causing any visible damage.This vulnerability has been patched in 0.29.0.gfm.7.
CVE-2023-22486: cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. Versions prior to 0.29.0.gfm.7 contain a polynomial time complexity issue in handle_close_bracket that may lead to unbounded resource exhaustion and subsequent denial of service. This vulnerability has been patched in 0.29.0.gfm.7.

1 issue left for the package maintainer to handle:

CVE-2020-5238: (needs triaging) The table extension in GitHub Flavored Markdown before version 0.29.0.gfm.1 takes O(n * n) time to parse certain inputs. An attacker could craft a markdown table which would take an unreasonably long time to process, causing a denial of service. This issue does not affect the upstream cmark project. The issue has been fixed in version 0.29.0.gfm.1.

You can find information about how to handle this issue in the security team's documentation.

Created: 2022-07-04 Last update: 2023-03-27 11:06

4 security issues in bookworm high

There are 4 open security issues in bookworm.

4 important issues:

CVE-2023-22483: cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. Versions prior to 0.29.0.gfm.7 are subject to several polynomial time complexity issues in cmark-gfm that may lead to unbounded resource exhaustion and subsequent denial of service. Various commands, when piped to cmark-gfm with large values, cause the running time to increase quadratically. These vulnerabilities have been patched in version 0.29.0.gfm.7.
CVE-2023-22484: cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. Versions prior to 0.29.0.gfm.7 are subject to a polynomial time complexity issue in cmark-gfm that may lead to unbounded resource exhaustion and subsequent denial of service. This vulnerability has been patched in 0.29.0.gfm.7.
CVE-2023-22485: cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. In versions prior 0.29.0.gfm.7, a crafted markdown document can trigger an out-of-bounds read in the `validate_protocol` function. We believe this bug is harmless in practice, because the out-of-bounds read accesses `malloc` metadata without causing any visible damage.This vulnerability has been patched in 0.29.0.gfm.7.
CVE-2023-22486: cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. Versions prior to 0.29.0.gfm.7 contain a polynomial time complexity issue in handle_close_bracket that may lead to unbounded resource exhaustion and subsequent denial of service. This vulnerability has been patched in 0.29.0.gfm.7.

Created: 2023-01-31 Last update: 2023-03-27 11:06

lintian reports 2 errors high

Lintian reports 2 errors about this package. You should make the package lintian clean getting rid of them.

Created: 2022-12-29 Last update: 2023-02-04 05:01

Fails to build during reproducibility testing normal

A package building reproducibly enables third parties to verify that the source matches the distributed binaries. It has been identified that this source package produced different results, failed to build or had other issues in a test environment. Please read about how to improve the situation!

Created: 2023-03-20 Last update: 2023-03-28 07:03

debian/patches: 4 patches to forward upstream low

Among the 4 debian patches available in version 0.29.0.gfm.6-6 of the package, we noticed the following issues:

4 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2023-02-26 Last update: 2023-02-26 15:54

Build log checks report 1 warning low

Build log checks report 1 warning

Created: 2022-12-29 Last update: 2022-12-29 12:00

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.6.2 instead of 4.6.0.1).

Created: 2022-05-11 Last update: 2022-12-29 14:17

news

[rss feed]

[2022-12-31] cmark-gfm 0.29.0.gfm.6-6 MIGRATED to testing (Debian testing watch)
[2022-12-29] Accepted cmark-gfm 0.29.0.gfm.6-6 (source) into unstable (Keith Packard)
[2022-12-29] Accepted cmark-gfm 0.29.0.gfm.6-5 (source) into unstable (Keith Packard)
[2022-12-29] Accepted cmark-gfm 0.29.0.gfm.6-4 (source) into unstable (Keith Packard)
[2022-12-28] Accepted cmark-gfm 0.29.0.gfm.6-3 (source) into unstable (Keith Packard)
[2022-12-02] cmark-gfm 0.29.0.gfm.6-2.1 MIGRATED to testing (Debian testing watch)
[2022-11-30] Accepted cmark-gfm 0.29.0.gfm.6-2.1 (source) into unstable (Scott Talbert)
[2022-10-26] Accepted cmark-gfm 0.29.0.gfm.6-2 (source amd64) into unstable (Debian FTP Masters) (signed by: Keith Packard)
[2022-03-15] cmark-gfm 0.29.0.gfm.3-3 MIGRATED to testing (Debian testing watch)
[2022-03-12] Accepted cmark-gfm 0.29.0.gfm.3-3 (source amd64) into unstable, unstable (Debian FTP Masters) (signed by: Keith Packard)
[2022-01-24] cmark-gfm 0.29.0.gfm.2-2 MIGRATED to testing (Debian testing watch)
[2022-01-22] Accepted cmark-gfm 0.29.0.gfm.2-2 (source amd64) into unstable, unstable (Debian FTP Masters) (signed by: Keith Packard)
[2022-01-18] Accepted cmark-gfm 0.29.0.gfm.2-1 (source) into unstable (Keith Packard)
[2020-09-05] cmark-gfm 0.29.0.gfm.0-6 MIGRATED to testing (Debian testing watch)
[2020-09-02] Accepted cmark-gfm 0.29.0.gfm.0-6 (source) into unstable (Keith Packard)
[2020-08-28] Accepted cmark-gfm 0.29.0.gfm.0-5 (source) into unstable (Keith Packard)
[2020-03-12] cmark-gfm 0.29.0.gfm.0-4 MIGRATED to testing (Debian testing watch)
[2020-03-09] Accepted cmark-gfm 0.29.0.gfm.0-4 (source) into unstable (Keith Packard)
[2019-12-20] cmark-gfm 0.29.0.gfm.0-3 MIGRATED to testing (Debian testing watch)
[2019-12-17] Accepted cmark-gfm 0.29.0.gfm.0-3 (source) into unstable (Keith Packard)
[2019-12-17] Accepted cmark-gfm 0.29.0.gfm.0-2 (source) into unstable (Keith Packard)
[2019-04-22] Accepted cmark-gfm 0.29.0.gfm.0-1 (source amd64) into unstable (Keith Packard)
[2019-03-09] Accepted cmark-gfm 0.28.3.gfm.20-3 (source amd64) into unstable (Keith Packard)
[2019-03-09] Accepted cmark-gfm 0.28.3.gfm.20-2 (source amd64) into unstable (Keith Packard)
[2019-03-09] Accepted cmark-gfm 0.28.3.gfm.20-1 (source amd64) into unstable (Keith Packard)
[2018-10-26] cmark-gfm 0.28.3.gfm.19-3 MIGRATED to testing (Debian testing watch)
[2018-10-23] Accepted cmark-gfm 0.28.3.gfm.19-3 (source amd64) into unstable (Keith Packard)
[2018-10-23] Accepted cmark-gfm 0.28.3.gfm.19-2 (source amd64) into unstable (Keith Packard)
[2018-10-22] Accepted cmark-gfm 0.28.3.gfm.19-1 (source amd64) into unstable (Keith Packard)
[2018-10-15] cmark-gfm 0.28.3.gfm.17-1 MIGRATED to testing (Debian testing watch)

bugs [bug history graph]

all: 2
RC: 0
I&N: 2
M&W: 0
F&P: 0
patch: 0

links

homepage
lintian (2, 0)
buildd: logs, checks, reproducibility, cross
popcon
browse source code
edit tags
other distros
security tracker
screenshots
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 0.29.0.gfm.6-6