Debian Package Tracker
Register | Log in
Subscribe

ruby-commonmarker

Ruby wrapper for Rust's comrak crate

Choose email to subscribe with

general
  • source: ruby-commonmarker (main)
  • version: 2.8.3-1
  • maintainer: Debian Ruby Team (archive) (DMD)
  • uploaders: Pirate Praveen [DMD] – Soren Stoutner [DMD]
  • arch: any
  • std-ver: 4.7.4
  • VCS: Git (Browse, QA)
versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]
[pool directory]
  • o-o-stable: 0.21.0-1
  • oldstable: 0.23.6-1
  • stable: 0.23.10-1
  • testing: 0.23.10-1
  • unstable: 2.8.3-1
versioned links
  • 0.21.0-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 0.23.6-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 0.23.10-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 2.8.3-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
binaries
  • ruby-commonmarker
action needed
lintian reports 3 warnings normal
Lintian reports 3 warnings about this package. You should make the package lintian clean getting rid of them.
Created: 2026-07-12 Last update: 2026-07-12 09:18
8 low-priority security issues in bookworm low

There are 8 open security issues in bookworm.

1 issue left for the package maintainer to handle:
  • CVE-2023-22485: (needs triaging) cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. In versions prior 0.29.0.gfm.7, a crafted markdown document can trigger an out-of-bounds read in the `validate_protocol` function. We believe this bug is harmless in practice, because the out-of-bounds read accesses `malloc` metadata without causing any visible damage.This vulnerability has been patched in 0.29.0.gfm.7.

You can find information about how to handle this issue in the security team's documentation.

7 ignored issues:
  • CVE-2022-39209: cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. In versions prior to 0.29.0.gfm.6 a polynomial time complexity issue in cmark-gfm's autolink extension may lead to unbounded resource exhaustion and subsequent denial of service. Users may verify the patch by running `python3 -c 'print("![l"* 100000 + "\n")' | ./cmark-gfm -e autolink`, which will resource exhaust on unpatched cmark-gfm but render correctly on patched cmark-gfm. This vulnerability has been patched in 0.29.0.gfm.6. Users are advised to upgrade. Users unable to upgrade should disable the use of the autolink extension.
  • CVE-2023-22483: cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. Versions prior to 0.29.0.gfm.7 are subject to several polynomial time complexity issues in cmark-gfm that may lead to unbounded resource exhaustion and subsequent denial of service. Various commands, when piped to cmark-gfm with large values, cause the running time to increase quadratically. These vulnerabilities have been patched in version 0.29.0.gfm.7.
  • CVE-2023-22484: cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. Versions prior to 0.29.0.gfm.7 are subject to a polynomial time complexity issue in cmark-gfm that may lead to unbounded resource exhaustion and subsequent denial of service. This vulnerability has been patched in 0.29.0.gfm.7.
  • CVE-2023-22486: cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. Versions prior to 0.29.0.gfm.7 contain a polynomial time complexity issue in handle_close_bracket that may lead to unbounded resource exhaustion and subsequent denial of service. This vulnerability has been patched in 0.29.0.gfm.7.
  • CVE-2023-24824: cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. A polynomial time complexity issue in cmark-gfm may lead to unbounded resource exhaustion and subsequent denial of service. This CVE covers quadratic complexity issues when parsing text which leads with either large numbers of `>` or `-` characters. This issue has been addressed in version 0.29.0.gfm.10. Users are advised to upgrade. Users unable to upgrade should validate that their input comes from trusted sources.
  • CVE-2023-26485: cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. A polynomial time complexity issue in cmark-gfm may lead to unbounded resource exhaustion and subsequent denial of service. This CVE covers quadratic complexity issues when parsing text which leads with either large numbers of `_` characters. This issue has been addressed in version 0.29.0.gfm.10. Users are advised to upgrade. Users unable to upgrade should validate that their input comes from trusted sources. ### Impact A polynomial time complexity issue in cmark-gfm may lead to unbounded resource exhaustion and subsequent denial of service. ### Proof of concept ``` $ ~/cmark-gfm$ python3 -c 'pad = "_" * 100000; print(pad + "." + pad, end="")' | time ./build/src/cmark-gfm --to plaintext ``` Increasing the number 10000 in the above commands causes the running time to increase quadratically. ### Patches This vulnerability have been patched in 0.29.0.gfm.10. ### Note on cmark and cmark-gfm XXX: TBD [cmark-gfm](https://github.com/github/cmark-gfm) is a fork of [cmark](https://github.com/commonmark/cmark) that adds the GitHub Flavored Markdown extensions. The two codebases have diverged over time, but share a common core. These bugs affect both `cmark` and `cmark-gfm`. ### Credit We would like to thank @gravypod for reporting this vulnerability. ### References https://en.wikipedia.org/wiki/Time_complexity ### For more information If you have any questions or comments about this advisory: * Open an issue in [github/cmark-gfm](https://github.com/github/cmark-gfm)
  • CVE-2023-37463: cmark-gfm is an extended version of the C reference implementation of CommonMark, a rationalized version of Markdown syntax with a spec. Three polynomial time complexity issues in cmark-gfm may lead to unbounded resource exhaustion and subsequent denial of service. These vulnerabilities have been patched in 0.29.0.gfm.12.
Created: 2023-06-10 Last update: 2026-07-12 04:49
testing migrations
  • excuses:
    • Migration status for ruby-commonmarker (0.23.10-1 to 2.8.3-1): BLOCKED: Rejected/violates migration policy/introduces a regression
    • Issues preventing migration:
    • ∙ ∙ Autopkgtest for ruby-commonmarker/2.8.3-1: amd64: Pass, arm64: Pass, loong64: Pass, ppc64el: Pass, riscv64: Pass, s390x: Pass
    • ∙ ∙ Autopkgtest for ruby-github-markup/6.0.0+dfsg-1: amd64: Regression ♻ (reference ♻), arm64: Regression ♻ (reference ♻), loong64: Regression ♻ (reference ♻), ppc64el: Regression ♻ (reference ♻), riscv64: Regression ♻ (reference ♻), s390x: Regression ♻ (reference ♻)
    • ∙ ∙ Autopkgtest for ruby-html-pipeline/2.14.3-2: amd64: Regression ♻ (reference ♻), arm64: Regression ♻ (reference ♻), loong64: Regression ♻ (reference ♻), ppc64el: Regression ♻ (reference ♻), riscv64: Regression ♻ (reference ♻), s390x: Regression ♻ (reference ♻)
    • ∙ ∙ Autopkgtest for ruby-jekyll-commonmark/1.4.0-2: amd64: Regression ♻ (reference ♻), arm64: Regression ♻ (reference ♻), loong64: Regression ♻ (reference ♻), ppc64el: Regression ♻ (reference ♻), riscv64: Regression ♻ (reference ♻), s390x: Regression ♻ (reference ♻)
    • ∙ ∙ Autopkgtest for ruby-task-list/2.3.2-2: amd64: Regression ♻ (reference ♻), arm64: Regression ♻ (reference ♻), loong64: Regression ♻ (reference ♻), ppc64el: Regression ♻ (reference ♻), riscv64: Regression ♻ (reference ♻), s390x: Regression ♻ (reference ♻)
    • ∙ ∙ Autopkgtest for tdiary-style-gfm/1.2.0-3: amd64: Regression ♻ (reference ♻), arm64: Regression ♻ (reference ♻), loong64: Regression ♻ (reference ♻), ppc64el: Regression ♻ (reference ♻), riscv64: Regression ♻ (reference ♻), s390x: Regression ♻ (reference ♻)
    • ∙ ∙ ruby-commonmarker unsatisfiable Build-Depends(-Arch) on armhf: architecture-is-64-bit
    • ∙ ∙ ruby-commonmarker unsatisfiable Build-Depends(-Arch) on i386: architecture-is-64-bit
    • ∙ ∙ Missing build on armhf
    • ∙ ∙ Missing build on i386
    • ∙ ∙ Autopkgtest deferred on armhf: missing arch:armhf build
    • ∙ ∙ Autopkgtest deferred on i386: missing arch:i386 build
    • ∙ ∙ Lintian check waiting for test results on i386, armhf - info
    • ∙ ∙ Reproducibility check deferred on armhf: missing builds - info
    • ∙ ∙ Reproducibility check deferred on i386: missing builds - info
    • ∙ ∙ Too young, only 4 of 5 days old
    • Additional info (not blocking):
    • ∙ ∙ Piuparts tested OK - https://piuparts.debian.org/sid/source/r/ruby-commonmarker.html
    • ∙ ∙ Reproduced on amd64 - info
    • ∙ ∙ Reproduced on arm64 - info
    • Not considered
news
[rss feed]
  • [2026-07-11] Accepted ruby-commonmarker 2.8.3-1 (source) into unstable (Soren Stoutner)
  • [2023-11-10] ruby-commonmarker 0.23.10-1 MIGRATED to testing (Debian testing watch)
  • [2023-11-08] Accepted ruby-commonmarker 0.23.10-1 (source) into unstable (Ravish BC) (signed by: Praveen Arimbrathodiyil)
  • [2023-07-20] ruby-commonmarker 0.23.9-1 MIGRATED to testing (Debian testing watch)
  • [2023-07-14] Accepted ruby-commonmarker 0.23.9-1 (source) into unstable (Vinay Keshava)
  • [2023-02-09] Accepted ruby-commonmarker 0.23.6-1~bpo11+1 (source amd64) into bullseye-backports (Debian FTP Masters) (signed by: Utkarsh Gupta)
  • [2022-11-23] ruby-commonmarker 0.23.6-1 MIGRATED to testing (Debian testing watch)
  • [2022-11-20] Accepted ruby-commonmarker 0.23.6-1 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
  • [2022-04-05] ruby-commonmarker 0.23.4-1 MIGRATED to testing (Debian testing watch)
  • [2022-04-01] Accepted ruby-commonmarker 0.23.4-1 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
  • [2021-12-11] ruby-commonmarker 0.23.2-2 MIGRATED to testing (Debian testing watch)
  • [2021-12-09] Accepted ruby-commonmarker 0.23.2-2 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
  • [2021-11-18] Accepted ruby-commonmarker 0.23.2-1 (source) into experimental (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
  • [2021-11-13] ruby-commonmarker 0.21.0-3 MIGRATED to testing (Debian testing watch)
  • [2021-11-11] Accepted ruby-commonmarker 0.21.0-3 (source) into unstable (Daniel Leidert)
  • [2021-11-07] ruby-commonmarker 0.21.0-2 MIGRATED to testing (Debian testing watch)
  • [2021-11-04] Accepted ruby-commonmarker 0.21.0-2 (source) into unstable (Sergio Durigan Junior)
  • [2020-08-28] ruby-commonmarker 0.21.0-1 MIGRATED to testing (Debian testing watch)
  • [2020-08-26] Accepted ruby-commonmarker 0.21.0-1 (source) into unstable (Cédric Boutillier)
  • [2020-07-18] ruby-commonmarker 0.20.2-2 MIGRATED to testing (Debian testing watch)
  • [2020-07-13] Accepted ruby-commonmarker 0.20.2-2 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
  • [2020-01-06] Accepted ruby-commonmarker 0.20.2-1~bpo10+1 (source amd64) into buster-backports, buster-backports (Nilesh) (signed by: Praveen Arimbrathodiyil)
  • [2019-12-27] ruby-commonmarker 0.20.2-1 MIGRATED to testing (Debian testing watch)
  • [2019-12-25] Accepted ruby-commonmarker 0.20.2-1 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
  • [2019-12-24] Accepted ruby-commonmarker 0.17.9-2 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
  • [2018-05-18] Accepted ruby-commonmarker 0.17.9-1~bpo9+1 (source amd64) into stretch-backports, stretch-backports (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
  • [2018-04-01] ruby-commonmarker 0.17.9-1 MIGRATED to testing (Debian testing watch)
bugs [bug history graph]
  • all: 0
links
  • homepage
  • lintian (0, 3)
  • buildd: logs, reproducibility, cross
  • popcon
  • browse source code
  • other distros
  • security tracker
  • debian patches
  • debci
ubuntu Ubuntu logo [Information about Ubuntu for Debian Developers]
  • version: 0.23.10-1build3

Debian Package Tracker — Copyright 2013-2025 The Distro Tracker Developers
Report problems to the tracker.debian.org pseudo-package in the Debian BTS.
Documentation — Bugs — Git Repository — Contributing