Debian Package Tracker
Register | Log in
Subscribe

r-cran-commonmark

high performance CommonMark and Github markdown rendering in R

Choose email to subscribe with

general
  • source: r-cran-commonmark (main)
  • version: 1.9.5-1
  • maintainer: Debian R Packages Maintainers (archive) (DMD) (LowNMU)
  • uploaders: Andreas Tille [DMD]
  • arch: any
  • std-ver: 4.7.2
  • VCS: Git (Browse, QA)
versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]
[pool directory]
  • o-o-stable: 1.7-1
  • oldstable: 1.7-2
  • stable: 1.8.1-1
  • testing: 1.9.5-1
  • unstable: 1.9.5-1
versioned links
  • 1.7-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 1.7-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 1.8.1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 1.9.5-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
binaries
  • r-cran-commonmark
action needed
Build log checks report 1 warning low
Build log checks report 1 warning
Created: 2018-06-03 Last update: 2018-06-03 02:46
No known security issue in bookworm wishlist

There are 7 open security issues in bookworm.

7 ignored issues:
  • CVE-2023-22483: cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. Versions prior to 0.29.0.gfm.7 are subject to several polynomial time complexity issues in cmark-gfm that may lead to unbounded resource exhaustion and subsequent denial of service. Various commands, when piped to cmark-gfm with large values, cause the running time to increase quadratically. These vulnerabilities have been patched in version 0.29.0.gfm.7.
  • CVE-2023-22484: cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. Versions prior to 0.29.0.gfm.7 are subject to a polynomial time complexity issue in cmark-gfm that may lead to unbounded resource exhaustion and subsequent denial of service. This vulnerability has been patched in 0.29.0.gfm.7.
  • CVE-2023-22485: cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. In versions prior 0.29.0.gfm.7, a crafted markdown document can trigger an out-of-bounds read in the `validate_protocol` function. We believe this bug is harmless in practice, because the out-of-bounds read accesses `malloc` metadata without causing any visible damage.This vulnerability has been patched in 0.29.0.gfm.7.
  • CVE-2023-22486: cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. Versions prior to 0.29.0.gfm.7 contain a polynomial time complexity issue in handle_close_bracket that may lead to unbounded resource exhaustion and subsequent denial of service. This vulnerability has been patched in 0.29.0.gfm.7.
  • CVE-2023-24824: cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. A polynomial time complexity issue in cmark-gfm may lead to unbounded resource exhaustion and subsequent denial of service. This CVE covers quadratic complexity issues when parsing text which leads with either large numbers of `>` or `-` characters. This issue has been addressed in version 0.29.0.gfm.10. Users are advised to upgrade. Users unable to upgrade should validate that their input comes from trusted sources.
  • CVE-2023-26485: cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. A polynomial time complexity issue in cmark-gfm may lead to unbounded resource exhaustion and subsequent denial of service. This CVE covers quadratic complexity issues when parsing text which leads with either large numbers of `_` characters. This issue has been addressed in version 0.29.0.gfm.10. Users are advised to upgrade. Users unable to upgrade should validate that their input comes from trusted sources. ### Impact A polynomial time complexity issue in cmark-gfm may lead to unbounded resource exhaustion and subsequent denial of service. ### Proof of concept ``` $ ~/cmark-gfm$ python3 -c 'pad = "_" * 100000; print(pad + "." + pad, end="")' | time ./build/src/cmark-gfm --to plaintext ``` Increasing the number 10000 in the above commands causes the running time to increase quadratically. ### Patches This vulnerability have been patched in 0.29.0.gfm.10. ### Note on cmark and cmark-gfm XXX: TBD [cmark-gfm](https://github.com/github/cmark-gfm) is a fork of [cmark](https://github.com/commonmark/cmark) that adds the GitHub Flavored Markdown extensions. The two codebases have diverged over time, but share a common core. These bugs affect both `cmark` and `cmark-gfm`. ### Credit We would like to thank @gravypod for reporting this vulnerability. ### References https://en.wikipedia.org/wiki/Time_complexity ### For more information If you have any questions or comments about this advisory: * Open an issue in [github/cmark-gfm](https://github.com/github/cmark-gfm)
  • CVE-2023-37463: cmark-gfm is an extended version of the C reference implementation of CommonMark, a rationalized version of Markdown syntax with a spec. Three polynomial time complexity issues in cmark-gfm may lead to unbounded resource exhaustion and subsequent denial of service. These vulnerabilities have been patched in 0.29.0.gfm.12.
Created: 2023-06-10 Last update: 2025-03-22 04:01
news
[rss feed]
  • [2025-03-22] r-cran-commonmark 1.9.5-1 MIGRATED to testing (Debian testing watch)
  • [2025-03-20] Accepted r-cran-commonmark 1.9.5-1 (source) into unstable (Charles Plessy)
  • [2024-12-13] r-cran-commonmark 1.9.2-2 MIGRATED to testing (Debian testing watch)
  • [2024-12-10] Accepted r-cran-commonmark 1.9.2-2 (source) into unstable (Andreas Tille)
  • [2024-10-11] Accepted r-cran-commonmark 1.9.2-1 (source) into unstable (Charles Plessy)
  • [2024-02-15] r-cran-commonmark 1.9.1-1 MIGRATED to testing (Debian testing watch)
  • [2024-02-13] Accepted r-cran-commonmark 1.9.1-1 (source) into unstable (Andreas Tille)
  • [2023-07-17] r-cran-commonmark 1.9.0-1 MIGRATED to testing (Debian testing watch)
  • [2023-06-12] Accepted r-cran-commonmark 1.9.0-1 (source) into unstable (Andreas Tille)
  • [2022-10-28] r-cran-commonmark 1.8.1-1 MIGRATED to testing (Debian testing watch)
  • [2022-10-25] Accepted r-cran-commonmark 1.8.1-1 (source) into unstable (Andreas Tille)
  • [2022-03-12] r-cran-commonmark 1.8.0-1 MIGRATED to testing (Debian testing watch)
  • [2022-03-09] Accepted r-cran-commonmark 1.8.0-1 (source) into unstable (Andreas Tille)
  • [2020-09-05] r-cran-commonmark 1.7-2 MIGRATED to testing (Debian testing watch)
  • [2020-09-02] Accepted r-cran-commonmark 1.7-2 (source) into unstable (Andreas Tille)
  • [2018-12-08] r-cran-commonmark 1.7-1 MIGRATED to testing (Debian testing watch)
  • [2018-12-05] Accepted r-cran-commonmark 1.7-1 (source) into unstable (Andreas Tille)
  • [2018-10-06] r-cran-commonmark 1.6-1 MIGRATED to testing (Debian testing watch)
  • [2018-10-04] Accepted r-cran-commonmark 1.6-1 (source) into unstable (Dylan Aïssi)
  • [2018-06-13] r-cran-commonmark 1.5-1 MIGRATED to testing (Debian testing watch)
  • [2018-05-30] Accepted r-cran-commonmark 1.5-1 (source amd64) into unstable, unstable (Andreas Tille)
bugs [bug history graph]
  • all: 0
links
  • homepage
  • lintian
  • buildd: logs, checks, reproducibility, cross
  • popcon
  • browse source code
  • edit tags
  • other distros
  • security tracker
  • screenshots
  • debci
ubuntu Ubuntu logo [Information about Ubuntu for Debian Developers]
  • version: 1.9.5-1
  • 1 bug

Debian Package Tracker — Copyright 2013-2025 The Distro Tracker Developers
Report problems to the tracker.debian.org pseudo-package in the Debian BTS.
Documentation — Bugs — Git Repository — Contributing