Debian Package Tracker
Register | Log in
Subscribe

python-cmarkgfm

GitHub-flavored Markdown renderer Python bindings

Choose email to subscribe with

general
  • source: python-cmarkgfm (main)
  • version: 2024.11.20-1
  • maintainer: Debian Python Team (DMD)
  • uploaders: Nicolas Dandrimont [DMD]
  • arch: any
  • std-ver: 4.6.1
  • VCS: Git (Browse, QA)
versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]
[pool directory]
  • o-o-stable: 0.4.2-1
  • oldstable: 0.4.2-1
  • stable: 0.8.0-3
  • testing: 2024.11.20-1
  • unstable: 2024.11.20-1
versioned links
  • 0.4.2-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 0.8.0-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 2024.11.20-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
binaries
  • python3-cmarkgfm
action needed
8 low-priority security issues in bookworm low

There are 8 open security issues in bookworm.

8 issues left for the package maintainer to handle:
  • CVE-2022-39209: (needs triaging) cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. In versions prior to 0.29.0.gfm.6 a polynomial time complexity issue in cmark-gfm's autolink extension may lead to unbounded resource exhaustion and subsequent denial of service. Users may verify the patch by running `python3 -c 'print("![l"* 100000 + "\n")' | ./cmark-gfm -e autolink`, which will resource exhaust on unpatched cmark-gfm but render correctly on patched cmark-gfm. This vulnerability has been patched in 0.29.0.gfm.6. Users are advised to upgrade. Users unable to upgrade should disable the use of the autolink extension.
  • CVE-2023-22483: (needs triaging) cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. Versions prior to 0.29.0.gfm.7 are subject to several polynomial time complexity issues in cmark-gfm that may lead to unbounded resource exhaustion and subsequent denial of service. Various commands, when piped to cmark-gfm with large values, cause the running time to increase quadratically. These vulnerabilities have been patched in version 0.29.0.gfm.7.
  • CVE-2023-22484: (needs triaging) cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. Versions prior to 0.29.0.gfm.7 are subject to a polynomial time complexity issue in cmark-gfm that may lead to unbounded resource exhaustion and subsequent denial of service. This vulnerability has been patched in 0.29.0.gfm.7.
  • CVE-2023-22485: (needs triaging) cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. In versions prior 0.29.0.gfm.7, a crafted markdown document can trigger an out-of-bounds read in the `validate_protocol` function. We believe this bug is harmless in practice, because the out-of-bounds read accesses `malloc` metadata without causing any visible damage.This vulnerability has been patched in 0.29.0.gfm.7.
  • CVE-2023-22486: (needs triaging) cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. Versions prior to 0.29.0.gfm.7 contain a polynomial time complexity issue in handle_close_bracket that may lead to unbounded resource exhaustion and subsequent denial of service. This vulnerability has been patched in 0.29.0.gfm.7.
  • CVE-2023-24824: (needs triaging) cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. A polynomial time complexity issue in cmark-gfm may lead to unbounded resource exhaustion and subsequent denial of service. This CVE covers quadratic complexity issues when parsing text which leads with either large numbers of `>` or `-` characters. This issue has been addressed in version 0.29.0.gfm.10. Users are advised to upgrade. Users unable to upgrade should validate that their input comes from trusted sources.
  • CVE-2023-26485: (needs triaging) cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. A polynomial time complexity issue in cmark-gfm may lead to unbounded resource exhaustion and subsequent denial of service. This CVE covers quadratic complexity issues when parsing text which leads with either large numbers of `_` characters. This issue has been addressed in version 0.29.0.gfm.10. Users are advised to upgrade. Users unable to upgrade should validate that their input comes from trusted sources. ### Impact A polynomial time complexity issue in cmark-gfm may lead to unbounded resource exhaustion and subsequent denial of service. ### Proof of concept ``` $ ~/cmark-gfm$ python3 -c 'pad = "_" * 100000; print(pad + "." + pad, end="")' | time ./build/src/cmark-gfm --to plaintext ``` Increasing the number 10000 in the above commands causes the running time to increase quadratically. ### Patches This vulnerability have been patched in 0.29.0.gfm.10. ### Note on cmark and cmark-gfm XXX: TBD [cmark-gfm](https://github.com/github/cmark-gfm) is a fork of [cmark](https://github.com/commonmark/cmark) that adds the GitHub Flavored Markdown extensions. The two codebases have diverged over time, but share a common core. These bugs affect both `cmark` and `cmark-gfm`. ### Credit We would like to thank @gravypod for reporting this vulnerability. ### References https://en.wikipedia.org/wiki/Time_complexity ### For more information If you have any questions or comments about this advisory: * Open an issue in [github/cmark-gfm](https://github.com/github/cmark-gfm)
  • CVE-2023-37463: (needs triaging) cmark-gfm is an extended version of the C reference implementation of CommonMark, a rationalized version of Markdown syntax with a spec. Three polynomial time complexity issues in cmark-gfm may lead to unbounded resource exhaustion and subsequent denial of service. These vulnerabilities have been patched in 0.29.0.gfm.12.

You can find information about how to handle these issues in the security team's documentation.

Created: 2023-06-10 Last update: 2025-05-03 05:32
Standards version of the package is outdated. wishlist
The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.2 instead of 4.6.1).
Created: 2022-12-17 Last update: 2025-04-23 19:01
news
[rss feed]
  • [2025-05-03] python-cmarkgfm 2024.11.20-1 MIGRATED to testing (Debian testing watch)
  • [2025-04-23] Accepted python-cmarkgfm 2024.11.20-1 (source) into unstable (Colin Watson)
  • [2022-10-20] python-cmarkgfm 0.8.0-3 MIGRATED to testing (Debian testing watch)
  • [2022-10-16] Accepted python-cmarkgfm 0.8.0-3 (source) into unstable (Jelmer Vernooij) (signed by: Jelmer Vernooij)
  • [2022-10-01] python-cmarkgfm 0.8.0-2 MIGRATED to testing (Debian testing watch)
  • [2022-09-28] Accepted python-cmarkgfm 0.8.0-2 (source) into unstable (Carsten Schoenert)
  • [2022-03-13] python-cmarkgfm 0.8.0-1 MIGRATED to testing (Debian testing watch)
  • [2022-03-11] python-cmarkgfm 0.7.0-1 MIGRATED to testing (Debian testing watch)
  • [2022-03-10] Accepted python-cmarkgfm 0.8.0-1 (source) into unstable (Carsten Schoenert)
  • [2022-03-07] Accepted python-cmarkgfm 0.7.0-1 (source) into unstable (Carsten Schoenert)
  • [2018-05-04] python-cmarkgfm 0.4.2-1 MIGRATED to testing (Debian testing watch)
  • [2018-05-01] Accepted python-cmarkgfm 0.4.2-1 (source amd64) into unstable, unstable (Nicolas Dandrimont)
bugs [bug history graph]
  • all: 1
  • RC: 0
  • I&N: 0
  • M&W: 1
  • F&P: 0
  • patch: 0
links
  • homepage
  • lintian
  • buildd: logs, reproducibility, cross
  • popcon
  • browse source code
  • edit tags
  • other distros
  • security tracker
  • debci
ubuntu Ubuntu logo [Information about Ubuntu for Debian Developers]
  • version: 2024.11.20-1

Debian Package Tracker — Copyright 2013-2025 The Distro Tracker Developers
Report problems to the tracker.debian.org pseudo-package in the Debian BTS.
Documentation — Bugs — Git Repository — Contributing