Debian Package Tracker
Register | Log in
Subscribe

ruby-commonmarker

CommonMark parser and renderer - Written in C, wrapped in Ruby

Choose email to subscribe with

general
  • source: ruby-commonmarker (main)
  • version: 0.23.6-1
  • maintainer: Debian Ruby Team (archive) (DMD)
  • uploaders: Pirate Praveen [DMD]
  • arch: any
  • std-ver: 4.6.1
  • VCS: Git (Browse, QA)
versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]
[pool directory]
  • o-o-bpo: 0.17.9-1~bpo9+1
  • oldstable: 0.17.9-1
  • old-bpo: 0.20.2-1~bpo10+1
  • stable: 0.21.0-1
  • stable-bpo: 0.23.6-1~bpo11+1
  • testing: 0.23.6-1
  • unstable: 0.23.6-1
versioned links
  • 0.17.9-1~bpo9+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 0.17.9-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 0.20.2-1~bpo10+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 0.21.0-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 0.23.6-1~bpo11+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 0.23.6-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
binaries
  • ruby-commonmarker
action needed
Problems while searching for a new upstream version high
uscan had problems while searching for a new upstream version:
In watchfile debian/watch, reading webpage
  https://api.github.com/repos/gjtorikian/commonmarker/releases failed: 403 rate limit exceeded
Created: 2023-03-24 Last update: 2023-03-28 18:04
5 security issues in sid high

There are 5 open security issues in sid.

5 important issues:
  • CVE-2022-39209: cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. In versions prior to 0.29.0.gfm.6 a polynomial time complexity issue in cmark-gfm's autolink extension may lead to unbounded resource exhaustion and subsequent denial of service. Users may verify the patch by running `python3 -c 'print("![l"* 100000 + "\n")' | ./cmark-gfm -e autolink`, which will resource exhaust on unpatched cmark-gfm but render correctly on patched cmark-gfm. This vulnerability has been patched in 0.29.0.gfm.6. Users are advised to upgrade. Users unable to upgrade should disable the use of the autolink extension.
  • CVE-2023-22483: cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. Versions prior to 0.29.0.gfm.7 are subject to several polynomial time complexity issues in cmark-gfm that may lead to unbounded resource exhaustion and subsequent denial of service. Various commands, when piped to cmark-gfm with large values, cause the running time to increase quadratically. These vulnerabilities have been patched in version 0.29.0.gfm.7.
  • CVE-2023-22484: cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. Versions prior to 0.29.0.gfm.7 are subject to a polynomial time complexity issue in cmark-gfm that may lead to unbounded resource exhaustion and subsequent denial of service. This vulnerability has been patched in 0.29.0.gfm.7.
  • CVE-2023-22485: cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. In versions prior 0.29.0.gfm.7, a crafted markdown document can trigger an out-of-bounds read in the `validate_protocol` function. We believe this bug is harmless in practice, because the out-of-bounds read accesses `malloc` metadata without causing any visible damage.This vulnerability has been patched in 0.29.0.gfm.7.
  • CVE-2023-22486: cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. Versions prior to 0.29.0.gfm.7 contain a polynomial time complexity issue in handle_close_bracket that may lead to unbounded resource exhaustion and subsequent denial of service. This vulnerability has been patched in 0.29.0.gfm.7.
Created: 2022-07-04 Last update: 2023-03-27 11:06
7 security issues in buster high

There are 7 open security issues in buster.

4 important issues:
  • CVE-2023-22483: cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. Versions prior to 0.29.0.gfm.7 are subject to several polynomial time complexity issues in cmark-gfm that may lead to unbounded resource exhaustion and subsequent denial of service. Various commands, when piped to cmark-gfm with large values, cause the running time to increase quadratically. These vulnerabilities have been patched in version 0.29.0.gfm.7.
  • CVE-2023-22484: cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. Versions prior to 0.29.0.gfm.7 are subject to a polynomial time complexity issue in cmark-gfm that may lead to unbounded resource exhaustion and subsequent denial of service. This vulnerability has been patched in 0.29.0.gfm.7.
  • CVE-2023-22485: cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. In versions prior 0.29.0.gfm.7, a crafted markdown document can trigger an out-of-bounds read in the `validate_protocol` function. We believe this bug is harmless in practice, because the out-of-bounds read accesses `malloc` metadata without causing any visible damage.This vulnerability has been patched in 0.29.0.gfm.7.
  • CVE-2023-22486: cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. Versions prior to 0.29.0.gfm.7 contain a polynomial time complexity issue in handle_close_bracket that may lead to unbounded resource exhaustion and subsequent denial of service. This vulnerability has been patched in 0.29.0.gfm.7.
3 issues postponed or untriaged:
  • CVE-2020-5238: (needs triaging) The table extension in GitHub Flavored Markdown before version 0.29.0.gfm.1 takes O(n * n) time to parse certain inputs. An attacker could craft a markdown table which would take an unreasonably long time to process, causing a denial of service. This issue does not affect the upstream cmark project. The issue has been fixed in version 0.29.0.gfm.1.
  • CVE-2022-24724: (needs triaging) cmark-gfm is GitHub's extended version of the C reference implementation of CommonMark. Prior to versions 0.29.0.gfm.3 and 0.28.3.gfm.21, an integer overflow in cmark-gfm's table row parsing `table.c:row_from_string` may lead to heap memory corruption when parsing tables who's marker rows contain more than UINT16_MAX columns. The impact of this heap corruption ranges from Information Leak to Arbitrary Code Execution depending on how and where `cmark-gfm` is used. If `cmark-gfm` is used for rendering remote user controlled markdown, this vulnerability may lead to Remote Code Execution (RCE) in applications employing affected versions of the `cmark-gfm` library. This vulnerability has been patched in the following cmark-gfm versions 0.29.0.gfm.3 and 0.28.3.gfm.21. A workaround is available. The vulnerability exists in the table markdown extensions of cmark-gfm. Disabling the table extension will prevent this vulnerability from being triggered.
  • CVE-2022-39209: (needs triaging) cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. In versions prior to 0.29.0.gfm.6 a polynomial time complexity issue in cmark-gfm's autolink extension may lead to unbounded resource exhaustion and subsequent denial of service. Users may verify the patch by running `python3 -c 'print("![l"* 100000 + "\n")' | ./cmark-gfm -e autolink`, which will resource exhaust on unpatched cmark-gfm but render correctly on patched cmark-gfm. This vulnerability has been patched in 0.29.0.gfm.6. Users are advised to upgrade. Users unable to upgrade should disable the use of the autolink extension.
Created: 2023-03-17 Last update: 2023-03-27 11:06
6 security issues in bullseye high

There are 6 open security issues in bullseye.

6 important issues:
  • CVE-2022-24724: cmark-gfm is GitHub's extended version of the C reference implementation of CommonMark. Prior to versions 0.29.0.gfm.3 and 0.28.3.gfm.21, an integer overflow in cmark-gfm's table row parsing `table.c:row_from_string` may lead to heap memory corruption when parsing tables who's marker rows contain more than UINT16_MAX columns. The impact of this heap corruption ranges from Information Leak to Arbitrary Code Execution depending on how and where `cmark-gfm` is used. If `cmark-gfm` is used for rendering remote user controlled markdown, this vulnerability may lead to Remote Code Execution (RCE) in applications employing affected versions of the `cmark-gfm` library. This vulnerability has been patched in the following cmark-gfm versions 0.29.0.gfm.3 and 0.28.3.gfm.21. A workaround is available. The vulnerability exists in the table markdown extensions of cmark-gfm. Disabling the table extension will prevent this vulnerability from being triggered.
  • CVE-2022-39209: cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. In versions prior to 0.29.0.gfm.6 a polynomial time complexity issue in cmark-gfm's autolink extension may lead to unbounded resource exhaustion and subsequent denial of service. Users may verify the patch by running `python3 -c 'print("![l"* 100000 + "\n")' | ./cmark-gfm -e autolink`, which will resource exhaust on unpatched cmark-gfm but render correctly on patched cmark-gfm. This vulnerability has been patched in 0.29.0.gfm.6. Users are advised to upgrade. Users unable to upgrade should disable the use of the autolink extension.
  • CVE-2023-22483: cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. Versions prior to 0.29.0.gfm.7 are subject to several polynomial time complexity issues in cmark-gfm that may lead to unbounded resource exhaustion and subsequent denial of service. Various commands, when piped to cmark-gfm with large values, cause the running time to increase quadratically. These vulnerabilities have been patched in version 0.29.0.gfm.7.
  • CVE-2023-22484: cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. Versions prior to 0.29.0.gfm.7 are subject to a polynomial time complexity issue in cmark-gfm that may lead to unbounded resource exhaustion and subsequent denial of service. This vulnerability has been patched in 0.29.0.gfm.7.
  • CVE-2023-22485: cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. In versions prior 0.29.0.gfm.7, a crafted markdown document can trigger an out-of-bounds read in the `validate_protocol` function. We believe this bug is harmless in practice, because the out-of-bounds read accesses `malloc` metadata without causing any visible damage.This vulnerability has been patched in 0.29.0.gfm.7.
  • CVE-2023-22486: cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. Versions prior to 0.29.0.gfm.7 contain a polynomial time complexity issue in handle_close_bracket that may lead to unbounded resource exhaustion and subsequent denial of service. This vulnerability has been patched in 0.29.0.gfm.7.
Created: 2022-07-04 Last update: 2023-03-27 11:06
5 security issues in bookworm high

There are 5 open security issues in bookworm.

5 important issues:
  • CVE-2022-39209: cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. In versions prior to 0.29.0.gfm.6 a polynomial time complexity issue in cmark-gfm's autolink extension may lead to unbounded resource exhaustion and subsequent denial of service. Users may verify the patch by running `python3 -c 'print("![l"* 100000 + "\n")' | ./cmark-gfm -e autolink`, which will resource exhaust on unpatched cmark-gfm but render correctly on patched cmark-gfm. This vulnerability has been patched in 0.29.0.gfm.6. Users are advised to upgrade. Users unable to upgrade should disable the use of the autolink extension.
  • CVE-2023-22483: cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. Versions prior to 0.29.0.gfm.7 are subject to several polynomial time complexity issues in cmark-gfm that may lead to unbounded resource exhaustion and subsequent denial of service. Various commands, when piped to cmark-gfm with large values, cause the running time to increase quadratically. These vulnerabilities have been patched in version 0.29.0.gfm.7.
  • CVE-2023-22484: cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. Versions prior to 0.29.0.gfm.7 are subject to a polynomial time complexity issue in cmark-gfm that may lead to unbounded resource exhaustion and subsequent denial of service. This vulnerability has been patched in 0.29.0.gfm.7.
  • CVE-2023-22485: cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. In versions prior 0.29.0.gfm.7, a crafted markdown document can trigger an out-of-bounds read in the `validate_protocol` function. We believe this bug is harmless in practice, because the out-of-bounds read accesses `malloc` metadata without causing any visible damage.This vulnerability has been patched in 0.29.0.gfm.7.
  • CVE-2023-22486: cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. Versions prior to 0.29.0.gfm.7 contain a polynomial time complexity issue in handle_close_bracket that may lead to unbounded resource exhaustion and subsequent denial of service. This vulnerability has been patched in 0.29.0.gfm.7.
Created: 2022-07-04 Last update: 2023-03-27 11:06
lintian reports 9 warnings normal
Lintian reports 9 warnings about this package. You should make the package lintian clean getting rid of them.
Created: 2022-01-01 Last update: 2023-02-02 16:05
Standards version of the package is outdated. wishlist
The package should be updated to follow the last version of Debian Policy (Standards-Version 4.6.2 instead of 4.6.1).
Created: 2022-12-17 Last update: 2022-12-17 19:18
news
[rss feed]
  • [2023-02-09] Accepted ruby-commonmarker 0.23.6-1~bpo11+1 (source amd64) into bullseye-backports (Debian FTP Masters) (signed by: Utkarsh Gupta)
  • [2022-11-23] ruby-commonmarker 0.23.6-1 MIGRATED to testing (Debian testing watch)
  • [2022-11-20] Accepted ruby-commonmarker 0.23.6-1 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
  • [2022-04-05] ruby-commonmarker 0.23.4-1 MIGRATED to testing (Debian testing watch)
  • [2022-04-01] Accepted ruby-commonmarker 0.23.4-1 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
  • [2021-12-11] ruby-commonmarker 0.23.2-2 MIGRATED to testing (Debian testing watch)
  • [2021-12-09] Accepted ruby-commonmarker 0.23.2-2 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
  • [2021-11-18] Accepted ruby-commonmarker 0.23.2-1 (source) into experimental (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
  • [2021-11-13] ruby-commonmarker 0.21.0-3 MIGRATED to testing (Debian testing watch)
  • [2021-11-11] Accepted ruby-commonmarker 0.21.0-3 (source) into unstable (Daniel Leidert)
  • [2021-11-07] ruby-commonmarker 0.21.0-2 MIGRATED to testing (Debian testing watch)
  • [2021-11-04] Accepted ruby-commonmarker 0.21.0-2 (source) into unstable (Sergio Durigan Junior)
  • [2020-08-28] ruby-commonmarker 0.21.0-1 MIGRATED to testing (Debian testing watch)
  • [2020-08-26] Accepted ruby-commonmarker 0.21.0-1 (source) into unstable (Cédric Boutillier)
  • [2020-07-18] ruby-commonmarker 0.20.2-2 MIGRATED to testing (Debian testing watch)
  • [2020-07-13] Accepted ruby-commonmarker 0.20.2-2 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
  • [2020-01-06] Accepted ruby-commonmarker 0.20.2-1~bpo10+1 (source amd64) into buster-backports, buster-backports (Nilesh) (signed by: Praveen Arimbrathodiyil)
  • [2019-12-27] ruby-commonmarker 0.20.2-1 MIGRATED to testing (Debian testing watch)
  • [2019-12-25] Accepted ruby-commonmarker 0.20.2-1 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
  • [2019-12-24] Accepted ruby-commonmarker 0.17.9-2 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
  • [2018-05-18] Accepted ruby-commonmarker 0.17.9-1~bpo9+1 (source amd64) into stretch-backports, stretch-backports (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
  • [2018-04-01] ruby-commonmarker 0.17.9-1 MIGRATED to testing (Debian testing watch)
bugs [bug history graph]
  • all: 2
  • RC: 0
  • I&N: 2
  • M&W: 0
  • F&P: 0
  • patch: 0
links
  • homepage
  • lintian (0, 9)
  • buildd: logs, reproducibility, cross
  • popcon
  • browse source code
  • edit tags
  • other distros
  • security tracker
  • screenshots
  • debian patches
  • debci
ubuntu Ubuntu logo [Information about Ubuntu for Debian Developers]
  • version: 0.23.6-1build2

Debian Package Tracker — Copyright 2013-2018 The Distro Tracker Developers
Report problems to the tracker.debian.org pseudo-package in the Debian BTS.
Documentation — Bugs — Git Repository — Contributing