ruby-commonmarker - Debian Package Tracker

general

source: ruby-commonmarker (main)
version: 0.23.10-1
maintainer: Debian Ruby Team (archive) (DMD)
uploaders: Pirate Praveen [DMD]
arch: any
std-ver: 4.6.1
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 0.21.0-1
oldstable: 0.23.6-1
stable: 0.23.10-1
testing: 0.23.10-1
unstable: 0.23.10-1

versioned links

0.21.0-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
0.23.6-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
0.23.10-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

ruby-commonmarker

action needed

version in VCS is newer than in repository, is it time to upload? normal

vcswatch reports that this package seems to have a new changelog entry (version 2.5.0-1, distribution UNRELEASED) and new commits in its VCS. You should consider whether it's time to make an upload.

Here are the relevant commit messages:

commit 0bd25ad28ff230fff2db95333278d0fe0f6ab5d9
Author: Simon Quigley <tsimonq2@debian.org>
Date:   Wed Nov 12 10:16:52 2025 -0600

    Refresh patch

commit 5d6f19c4953e581e155831b73821426971e6710e
Author: Simon Quigley <tsimonq2@debian.org>
Date:   Wed Nov 12 10:16:20 2025 -0600

    Update Standards-Version to 4.7.2, no changes needed.

commit 93fd8b02a48bcf1e5dd12b9c54d851d12d9a9400
Author: Simon Quigley <tsimonq2@debian.org>
Date:   Wed Nov 12 10:15:59 2025 -0600

    Drop {XS,XB}-Ruby-Versions from control.

commit 347810db6b61c31dd81f282079d74e8c4f6d1ddd
Author: Simon Quigley <tsimonq2@debian.org>
Date:   Wed Nov 12 10:15:49 2025 -0600

    New upstream release.

commit b034fc1b331ab77aa17a00b3240e891d0d3cf1ff
Merge: 36f232c c8ef22a
Author: Simon Quigley <tsimonq2@debian.org>
Date:   Wed Nov 12 10:15:22 2025 -0600

    Update upstream source from tag 'upstream/2.5.0'
    
    Update to upstream version '2.5.0'
    with Debian dir 856d04716a46d3dd849fec9faff8db5d3e304b0a

commit c8ef22ac594bec9cb87a593a217538abae018e0b
Author: Simon Quigley <tsimonq2@debian.org>
Date:   Wed Nov 12 10:15:22 2025 -0600

    New upstream version 2.5.0

commit 36f232cbf837e32d4b5d87c0c435bfcceba6ea35
Author: Lucas Nussbaum <lucas@debian.org>
Date:   Sat Sep 6 05:18:23 2025 +0000

    debian/salsa-ci.yml: use team-specific include

commit 7b24bf488dea251038e9dd2526a1904052425765
Author: Lucas Nussbaum <lucas@debian.org>
Date:   Sat Sep 6 05:18:20 2025 +0000

    debian/.gitattributes: remove

commit ed3e2ad32f340bccfdb3a5205ca9f0b65b379365
Author: Lucas Nussbaum <lucas@debian.org>
Date:   Mon Aug 25 06:29:45 2025 +0000

    debian/gbp.conf: Add for DEP-14

Created: 2025-08-25 Last update: 2025-11-25 19:48

lintian reports 7 warnings normal

Lintian reports 7 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2023-07-15 Last update: 2025-11-03 23:17

8 low-priority security issues in bookworm low

There are 8 open security issues in bookworm.

1 issue left for the package maintainer to handle:

CVE-2023-22485: (needs triaging) cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. In versions prior 0.29.0.gfm.7, a crafted markdown document can trigger an out-of-bounds read in the `validate_protocol` function. We believe this bug is harmless in practice, because the out-of-bounds read accesses `malloc` metadata without causing any visible damage.This vulnerability has been patched in 0.29.0.gfm.7.

You can find information about how to handle this issue in the security team's documentation.

7 ignored issues:

CVE-2022-39209: cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. In versions prior to 0.29.0.gfm.6 a polynomial time complexity issue in cmark-gfm's autolink extension may lead to unbounded resource exhaustion and subsequent denial of service. Users may verify the patch by running `python3 -c 'print("![l"* 100000 + "\n")' | ./cmark-gfm -e autolink`, which will resource exhaust on unpatched cmark-gfm but render correctly on patched cmark-gfm. This vulnerability has been patched in 0.29.0.gfm.6. Users are advised to upgrade. Users unable to upgrade should disable the use of the autolink extension.
CVE-2023-22483: cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. Versions prior to 0.29.0.gfm.7 are subject to several polynomial time complexity issues in cmark-gfm that may lead to unbounded resource exhaustion and subsequent denial of service. Various commands, when piped to cmark-gfm with large values, cause the running time to increase quadratically. These vulnerabilities have been patched in version 0.29.0.gfm.7.
CVE-2023-22484: cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. Versions prior to 0.29.0.gfm.7 are subject to a polynomial time complexity issue in cmark-gfm that may lead to unbounded resource exhaustion and subsequent denial of service. This vulnerability has been patched in 0.29.0.gfm.7.
CVE-2023-22486: cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. Versions prior to 0.29.0.gfm.7 contain a polynomial time complexity issue in handle_close_bracket that may lead to unbounded resource exhaustion and subsequent denial of service. This vulnerability has been patched in 0.29.0.gfm.7.
CVE-2023-24824: cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. A polynomial time complexity issue in cmark-gfm may lead to unbounded resource exhaustion and subsequent denial of service. This CVE covers quadratic complexity issues when parsing text which leads with either large numbers of `>` or `-` characters. This issue has been addressed in version 0.29.0.gfm.10. Users are advised to upgrade. Users unable to upgrade should validate that their input comes from trusted sources.
CVE-2023-26485: cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. A polynomial time complexity issue in cmark-gfm may lead to unbounded resource exhaustion and subsequent denial of service. This CVE covers quadratic complexity issues when parsing text which leads with either large numbers of `_` characters. This issue has been addressed in version 0.29.0.gfm.10. Users are advised to upgrade. Users unable to upgrade should validate that their input comes from trusted sources. ### Impact A polynomial time complexity issue in cmark-gfm may lead to unbounded resource exhaustion and subsequent denial of service. ### Proof of concept ``` $ ~/cmark-gfm$ python3 -c 'pad = "_" * 100000; print(pad + "." + pad, end="")' | time ./build/src/cmark-gfm --to plaintext ``` Increasing the number 10000 in the above commands causes the running time to increase quadratically. ### Patches This vulnerability have been patched in 0.29.0.gfm.10. ### Note on cmark and cmark-gfm XXX: TBD [cmark-gfm](https://github.com/github/cmark-gfm) is a fork of [cmark](https://github.com/commonmark/cmark) that adds the GitHub Flavored Markdown extensions. The two codebases have diverged over time, but share a common core. These bugs affect both `cmark` and `cmark-gfm`. ### Credit We would like to thank @gravypod for reporting this vulnerability. ### References https://en.wikipedia.org/wiki/Time_complexity ### For more information If you have any questions or comments about this advisory: * Open an issue in [github/cmark-gfm](https://github.com/github/cmark-gfm)
CVE-2023-37463: cmark-gfm is an extended version of the C reference implementation of CommonMark, a rationalized version of Markdown syntax with a spec. Three polynomial time complexity issues in cmark-gfm may lead to unbounded resource exhaustion and subsequent denial of service. These vulnerabilities have been patched in 0.29.0.gfm.12.

Created: 2023-06-10 Last update: 2025-10-25 22:00

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.2 instead of 4.6.1).

Created: 2022-12-17 Last update: 2025-02-27 13:24

news

[rss feed]

[2023-11-10] ruby-commonmarker 0.23.10-1 MIGRATED to testing (Debian testing watch)
[2023-11-08] Accepted ruby-commonmarker 0.23.10-1 (source) into unstable (Ravish BC) (signed by: Praveen Arimbrathodiyil)
[2023-07-20] ruby-commonmarker 0.23.9-1 MIGRATED to testing (Debian testing watch)
[2023-07-14] Accepted ruby-commonmarker 0.23.9-1 (source) into unstable (Vinay Keshava)
[2023-02-09] Accepted ruby-commonmarker 0.23.6-1~bpo11+1 (source amd64) into bullseye-backports (Debian FTP Masters) (signed by: Utkarsh Gupta)
[2022-11-23] ruby-commonmarker 0.23.6-1 MIGRATED to testing (Debian testing watch)
[2022-11-20] Accepted ruby-commonmarker 0.23.6-1 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2022-04-05] ruby-commonmarker 0.23.4-1 MIGRATED to testing (Debian testing watch)
[2022-04-01] Accepted ruby-commonmarker 0.23.4-1 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2021-12-11] ruby-commonmarker 0.23.2-2 MIGRATED to testing (Debian testing watch)
[2021-12-09] Accepted ruby-commonmarker 0.23.2-2 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2021-11-18] Accepted ruby-commonmarker 0.23.2-1 (source) into experimental (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2021-11-13] ruby-commonmarker 0.21.0-3 MIGRATED to testing (Debian testing watch)
[2021-11-11] Accepted ruby-commonmarker 0.21.0-3 (source) into unstable (Daniel Leidert)
[2021-11-07] ruby-commonmarker 0.21.0-2 MIGRATED to testing (Debian testing watch)
[2021-11-04] Accepted ruby-commonmarker 0.21.0-2 (source) into unstable (Sergio Durigan Junior)
[2020-08-28] ruby-commonmarker 0.21.0-1 MIGRATED to testing (Debian testing watch)
[2020-08-26] Accepted ruby-commonmarker 0.21.0-1 (source) into unstable (Cédric Boutillier)
[2020-07-18] ruby-commonmarker 0.20.2-2 MIGRATED to testing (Debian testing watch)
[2020-07-13] Accepted ruby-commonmarker 0.20.2-2 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2020-01-06] Accepted ruby-commonmarker 0.20.2-1~bpo10+1 (source amd64) into buster-backports, buster-backports (Nilesh) (signed by: Praveen Arimbrathodiyil)
[2019-12-27] ruby-commonmarker 0.20.2-1 MIGRATED to testing (Debian testing watch)
[2019-12-25] Accepted ruby-commonmarker 0.20.2-1 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2019-12-24] Accepted ruby-commonmarker 0.17.9-2 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2018-05-18] Accepted ruby-commonmarker 0.17.9-1~bpo9+1 (source amd64) into stretch-backports, stretch-backports (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2018-04-01] ruby-commonmarker 0.17.9-1 MIGRATED to testing (Debian testing watch)

bugs [bug history graph]

all: 0

links

homepage
lintian (0, 7)
buildd: logs, reproducibility, cross
popcon
browse source code
edit tags
other distros
security tracker
screenshots
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 0.23.10-1build3