Your message dated Wed, 23 Apr 2025 10:19:10 +0000
with message-id <e1u7xca-00cnoc...@fasolo.debian.org>
and subject line Bug#1033111: fixed in python-cmarkgfm 2024.11.20-1
has caused the Debian Bug report #1033111,
regarding python-cmarkgfm: CVE-2023-22483 CVE-2023-22484 CVE-2023-22485
CVE-2023-22486
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1033111: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033111
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: python-cmarkgfm
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerabilities were published for python-cmarkgfm.
CVE-2023-22483[0]:
| cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and
| rendering library and program in C. Versions prior to 0.29.0.gfm.7 are
| subject to several polynomial time complexity issues in cmark-gfm that
| may lead to unbounded resource exhaustion and subsequent denial of
| service. Various commands, when piped to cmark-gfm with large values,
| cause the running time to increase quadratically. These
| vulnerabilities have been patched in version 0.29.0.gfm.7.
https://github.com/github/cmark-gfm/security/advisories/GHSA-29g3-96g3-jg6c
CVE-2023-22484[1]:
| cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and
| rendering library and program in C. Versions prior to 0.29.0.gfm.7 are
| subject to a polynomial time complexity issue in cmark-gfm that may
| lead to unbounded resource exhaustion and subsequent denial of
| service. This vulnerability has been patched in 0.29.0.gfm.7.
https://github.com/github/cmark-gfm/security/advisories/GHSA-24f7-9frr-5h2r
CVE-2023-22485[2]:
| cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and
| rendering library and program in C. In versions prior 0.29.0.gfm.7, a
| crafted markdown document can trigger an out-of-bounds read in the
| `validate_protocol` function. We believe this bug is harmless in
| practice, because the out-of-bounds read accesses `malloc` metadata
| without causing any visible damage.This vulnerability has been patched
| in 0.29.0.gfm.7.
https://github.com/github/cmark-gfm/security/advisories/GHSA-c944-cv5f-hpvr
CVE-2023-22486[3]:
| cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and
| rendering library and program in C. Versions prior to 0.29.0.gfm.7
| contain a polynomial time complexity issue in handle_close_bracket
| that may lead to unbounded resource exhaustion and subsequent denial
| of service. This vulnerability has been patched in 0.29.0.gfm.7.
https://github.com/github/cmark-gfm/security/advisories/GHSA-r572-jvj2-3m8p
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-22483
https://www.cve.org/CVERecord?id=CVE-2023-22483
[1] https://security-tracker.debian.org/tracker/CVE-2023-22484
https://www.cve.org/CVERecord?id=CVE-2023-22484
[2] https://security-tracker.debian.org/tracker/CVE-2023-22485
https://www.cve.org/CVERecord?id=CVE-2023-22485
[3] https://security-tracker.debian.org/tracker/CVE-2023-22486
https://www.cve.org/CVERecord?id=CVE-2023-22486
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: python-cmarkgfm
Source-Version: 2024.11.20-1
Done: Colin Watson <cjwat...@debian.org>
We believe that the bug you reported is fixed in the latest version of
python-cmarkgfm, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1033...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Colin Watson <cjwat...@debian.org> (supplier of updated python-cmarkgfm package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 23 Apr 2025 10:54:43 +0100
Source: python-cmarkgfm
Architecture: source
Version: 2024.11.20-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Team <team+pyt...@tracker.debian.org>
Changed-By: Colin Watson <cjwat...@debian.org>
Closes: 1033111 1034172 1034887 1041098 1072833
Changes:
python-cmarkgfm (2024.11.20-1) unstable; urgency=medium
.
* Team upload.
* d/watch: Switch back to PyPI, since its tarballs include submodule
contents.
* New upstream release (closes: #1072833):
- CVE-2022-39209: Remove polynomial time complexity in autolink
extension (closes: #1034887).
- CVE-2023-22483: Quadratic complexity bugs may lead to a denial of
service.
- CVE-2023-22484: Quadratic complexity bug in handle_pointy_brace may
lead to a denial of service.
- CVE-2023-22485: Out-of-bounds read in validate_protocol.
- CVE-2023-22486: Quadratic complexity bug in handle_close_bracket may
lead to a denial of service (closes: #1033111).
- CVE-2023-24824, CVE-2023-26485: Fix quadratic behavior in rendering
(closes: #1034172).
- CVE-2023-37463: Quadratic complexity bugs may lead to a denial of
service (closes: #1041098).
Checksums-Sha1:
c563f27061bc704780155ef3a5c679c873dcc7a8 2354 python-cmarkgfm_2024.11.20-1.dsc
70fc743fdd846c674cce465fa22808dfa9b633f7 146799
python-cmarkgfm_2024.11.20.orig.tar.gz
a0d8930a534cdb13375da1aff98d87ed1d312151 5260
python-cmarkgfm_2024.11.20-1.debian.tar.xz
Checksums-Sha256:
fd871cc640260c2c288f37a4b0e0f467c7417311eef7668f9e4dd4a2a8566d7a 2354
python-cmarkgfm_2024.11.20-1.dsc
5dd01cf61975a8a57213cdef5ed870e936032f13fe93d60ddf659ffb9cf73c6a 146799
python-cmarkgfm_2024.11.20.orig.tar.gz
ee4b9d0725a6fc51cd4f8c01fad94e50a322dc48300f07ed54850be6c41fb2b0 5260
python-cmarkgfm_2024.11.20-1.debian.tar.xz
Files:
c997cd033350e5af9a57fddd00990e74 2354 python optional
python-cmarkgfm_2024.11.20-1.dsc
669ad7aff2f7706f754c627188f343a9 146799 python optional
python-cmarkgfm_2024.11.20.orig.tar.gz
8b9609459fb00fef095abb23c398fd35 5260 python optional
python-cmarkgfm_2024.11.20-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAmgIuR0ACgkQOTWH2X2G
UAtMwhAAtji8U+B+g/hg4yBBlzWS1IvJMb7iSPfpFBpW374oDIVg2cUePHKlgErX
jGY35FSBEZ6MN6Bveeb7W0H3yWFWsGUeGOtjypOTDPDoP0ZW1P9B9phOn4+abzNU
1o0NiPdA+fzIstOMF3AmnBPuMbsG0lFgWK0IJFRAl3Smpd4OVLkYSvUfZkETXF2s
W/cht1bjrCw1VAx1vv/CEuv8f0Z/PvHSBrFLDVnqxZqzCrZ8nYNK7xfD7wTs3Zjx
RfVKQOv8yEE0YULY+6MEHlPJcajrH3CaoASeVqFwemJK810gUdBj+v5kWA/zJkzk
UCAH/B9K5+GyXhabk/EYQULWT4XF4faaj9PIbhTyGk2LP6QGMdccTPvNfkylolu4
Fl/3HSt331/CEdk/4gcmm93Wfittlil7tABsK0MeMwzFaCwfBzL6pnMDlf+J2hZC
2BDZAAmyNbuACYmbdOzGCnH8DJ6cZmhf4jSakXtBimD495Id5MN6yU956xyTFqDr
c4oLI/hUnQFgGOVmDnBM10vWO9WBsDd4rnfEh8mZjFFU1AZgIhI0N9IMboS0dqny
pne/l/aYs1BaL18dNihJbj/GPmS0/IXpVMPNAMn0/JiJugAnq1TxT0QaSBRMnJuq
PC2eNbh5XULvGmHLnmZ9n5HScKc+c/h9+kLIRr9lryyKcTlUc3E=
=pAuk
-----END PGP SIGNATURE-----
pgpd4mRKKGLjo.pgp
Description: PGP signature
--- End Message ---
