- Package:
- src:python-cmarkgfm
- Source:
- src:python-cmarkgfm
- Submitter:
- Moritz Mühlenhoff
- Date:
- 2025-04-23 10:21:02 UTC
- Severity:
- normal
- Tags:
Hi, The following vulnerabilities were published for python-cmarkgfm. CVE-2023-22483[0]: | cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and | rendering library and program in C. Versions prior to 0.29.0.gfm.7 are | subject to several polynomial time complexity issues in cmark-gfm that | may lead to unbounded resource exhaustion and subsequent denial of | service. Various commands, when piped to cmark-gfm with large values, | cause the running time to increase quadratically. These | vulnerabilities have been patched in version 0.29.0.gfm.7. https://github.com/github/cmark-gfm/security/advisories/GHSA-29g3-96g3-jg6c CVE-2023-22484[1]: | cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and | rendering library and program in C. Versions prior to 0.29.0.gfm.7 are | subject to a polynomial time complexity issue in cmark-gfm that may | lead to unbounded resource exhaustion and subsequent denial of | service. This vulnerability has been patched in 0.29.0.gfm.7. https://github.com/github/cmark-gfm/security/advisories/GHSA-24f7-9frr-5h2r CVE-2023-22485[2]: | cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and | rendering library and program in C. In versions prior 0.29.0.gfm.7, a | crafted markdown document can trigger an out-of-bounds read in the | `validate_protocol` function. We believe this bug is harmless in | practice, because the out-of-bounds read accesses `malloc` metadata | without causing any visible damage.This vulnerability has been patched | in 0.29.0.gfm.7. https://github.com/github/cmark-gfm/security/advisories/GHSA-c944-cv5f-hpvr CVE-2023-22486[3]: | cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and | rendering library and program in C. Versions prior to 0.29.0.gfm.7 | contain a polynomial time complexity issue in handle_close_bracket | that may lead to unbounded resource exhaustion and subsequent denial | of service. This vulnerability has been patched in 0.29.0.gfm.7. https://github.com/github/cmark-gfm/security/advisories/GHSA-r572-jvj2-3m8p If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-22483 https://www.cve.org/CVERecord?id=CVE-2023-22483 [1] https://security-tracker.debian.org/tracker/CVE-2023-22484 https://www.cve.org/CVERecord?id=CVE-2023-22484 [2] https://security-tracker.debian.org/tracker/CVE-2023-22485 https://www.cve.org/CVERecord?id=CVE-2023-22485 [3] https://security-tracker.debian.org/tracker/CVE-2023-22486 https://www.cve.org/CVERecord?id=CVE-2023-22486 Please adjust the affected versions in the BTS as needed.
Am Mon, Apr 10, 2023 at 06:11:39PM +0200 schrieb Moritz Mühlenhoff: https://github.com/theacodes/cmarkgfm/commit/acf473a51a9dc3a4fd6d6a4b30e4d80c94d91d4a Besides CVE-2023-24824 CVE-2023-26485, this release also fixes: CVE-2023-37463 (no bug), CVE-2023-22486/CVE-2023-22485/CVE-2023-22484/CVE-2023-22483 (#1033111), CVE-2022-39209 (#1034887) Cheers, Moritz
Hello, Bug #1033111 in python-cmarkgfm reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/python-team/packages/python-cmarkgfm/-/commit/e0c500952acc077d5f526d6809403b1886a7b0ac ------------------------------------------------------------------------ Update upstream source from tag 'upstream/2024.11.20' Update to upstream version '2024.11.20' with Debian dir 99f0eb0b69b05361f23a882eedd15fe91fdd0c9a Closes: #1033111, #1034172, #1034887, #1041098, #1072833 ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1033111
We believe that the bug you reported is fixed in the latest version of
python-cmarkgfm, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1033111@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated python-cmarkgfm package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Wed, 23 Apr 2025 10:54:43 +0100
Source: python-cmarkgfm
Architecture: source
Version: 2024.11.20-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Team <team+python@tracker.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Closes: 1033111 1034172 1034887 1041098 1072833
Changes:
python-cmarkgfm (2024.11.20-1) unstable; urgency=medium
.
* Team upload.
* d/watch: Switch back to PyPI, since its tarballs include submodule
contents.
* New upstream release (closes: #1072833):
- CVE-2022-39209: Remove polynomial time complexity in autolink
extension (closes: #1034887).
- CVE-2023-22483: Quadratic complexity bugs may lead to a denial of
service.
- CVE-2023-22484: Quadratic complexity bug in handle_pointy_brace may
lead to a denial of service.
- CVE-2023-22485: Out-of-bounds read in validate_protocol.
- CVE-2023-22486: Quadratic complexity bug in handle_close_bracket may
lead to a denial of service (closes: #1033111).
- CVE-2023-24824, CVE-2023-26485: Fix quadratic behavior in rendering
(closes: #1034172).
- CVE-2023-37463: Quadratic complexity bugs may lead to a denial of
service (closes: #1041098).
Checksums-Sha1:
c563f27061bc704780155ef3a5c679c873dcc7a8 2354 python-cmarkgfm_2024.11.20-1.dsc
70fc743fdd846c674cce465fa22808dfa9b633f7 146799 python-cmarkgfm_2024.11.20.orig.tar.gz
a0d8930a534cdb13375da1aff98d87ed1d312151 5260 python-cmarkgfm_2024.11.20-1.debian.tar.xz
Checksums-Sha256:
fd871cc640260c2c288f37a4b0e0f467c7417311eef7668f9e4dd4a2a8566d7a 2354 python-cmarkgfm_2024.11.20-1.dsc
5dd01cf61975a8a57213cdef5ed870e936032f13fe93d60ddf659ffb9cf73c6a 146799 python-cmarkgfm_2024.11.20.orig.tar.gz
ee4b9d0725a6fc51cd4f8c01fad94e50a322dc48300f07ed54850be6c41fb2b0 5260 python-cmarkgfm_2024.11.20-1.debian.tar.xz
Files:
c997cd033350e5af9a57fddd00990e74 2354 python optional python-cmarkgfm_2024.11.20-1.dsc
669ad7aff2f7706f754c627188f343a9 146799 python optional python-cmarkgfm_2024.11.20.orig.tar.gz
8b9609459fb00fef095abb23c398fd35 5260 python optional python-cmarkgfm_2024.11.20-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAmgIuR0ACgkQOTWH2X2G
UAtMwhAAtji8U+B+g/hg4yBBlzWS1IvJMb7iSPfpFBpW374oDIVg2cUePHKlgErX
jGY35FSBEZ6MN6Bveeb7W0H3yWFWsGUeGOtjypOTDPDoP0ZW1P9B9phOn4+abzNU
1o0NiPdA+fzIstOMF3AmnBPuMbsG0lFgWK0IJFRAl3Smpd4OVLkYSvUfZkETXF2s
W/cht1bjrCw1VAx1vv/CEuv8f0Z/PvHSBrFLDVnqxZqzCrZ8nYNK7xfD7wTs3Zjx
RfVKQOv8yEE0YULY+6MEHlPJcajrH3CaoASeVqFwemJK810gUdBj+v5kWA/zJkzk
UCAH/B9K5+GyXhabk/EYQULWT4XF4faaj9PIbhTyGk2LP6QGMdccTPvNfkylolu4
Fl/3HSt331/CEdk/4gcmm93Wfittlil7tABsK0MeMwzFaCwfBzL6pnMDlf+J2hZC
2BDZAAmyNbuACYmbdOzGCnH8DJ6cZmhf4jSakXtBimD495Id5MN6yU956xyTFqDr
c4oLI/hUnQFgGOVmDnBM10vWO9WBsDd4rnfEh8mZjFFU1AZgIhI0N9IMboS0dqny
pne/l/aYs1BaL18dNihJbj/GPmS0/IXpVMPNAMn0/JiJugAnq1TxT0QaSBRMnJuq
PC2eNbh5XULvGmHLnmZ9n5HScKc+c/h9+kLIRr9lryyKcTlUc3E=
=pAuk
-----END PGP SIGNATURE-----