Your message dated Wed, 23 Apr 2025 10:19:11 +0000
with message-id <e1u7xcb-00cnoh...@fasolo.debian.org>
and subject line Bug#1034172: fixed in python-cmarkgfm 2024.11.20-1
has caused the Debian Bug report #1034172,
regarding python-cmarkgfm: CVE-2023-26485 CVE-2023-24824
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1034172: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034172
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: python-cmarkgfm
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerabilities were published for python-cmarkgfm.
CVE-2023-26485[0]:
| cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and
| rendering library and program in C. A polynomial time complexity issue
| in cmark-gfm may lead to unbounded resource exhaustion and subsequent
| denial of service. This CVE covers quadratic complexity issues when
| parsing text which leads with either large numbers of `_` characters.
| This issue has been addressed in version 0.29.0.gfm.10. Users are
| advised to upgrade. Users unable to upgrade should validate that their
| input comes from trusted sources. ### Impact A polynomial time
| complexity issue in cmark-gfm may lead to unbounded resource
| exhaustion and subsequent denial of service. ### Proof of concept ```
| $ ~/cmark-gfm$ python3 -c 'pad = "_" * 100000; print(pad + "." + pad,
| end="")' | time ./build/src/cmark-gfm --to plaintext ``` Increasing
| the number 10000 in the above commands causes the running time to
| increase quadratically. ### Patches This vulnerability have been
| patched in 0.29.0.gfm.10. ### Note on cmark and cmark-gfm XXX: TBD
| [cmark-gfm](https://github.com/github/cmark-gfm) is a fork of
| [cmark](https://github.com/commonmark/cmark) that adds the GitHub
| Flavored Markdown extensions. The two codebases have diverged over
| time, but share a common core. These bugs affect both `cmark` and
| `cmark-gfm`. ### Credit We would like to thank @gravypod for reporting
| this vulnerability. ### References
| https://en.wikipedia.org/wiki/Time_complexity ### For more information
| If you have any questions or comments about this advisory: * Open an
| issue in [github/cmark-gfm](https://github.com/github/cmark-gfm)
https://github.com/github/cmark-gfm/security/advisories/GHSA-r8vr-c48j-fcc5
https://github.com/github/cmark-gfm/commit/07a66c9bc341f902878e37d7da8647d6ef150987
CVE-2023-24824[1]:
| cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and
| rendering library and program in C. A polynomial time complexity issue
| in cmark-gfm may lead to unbounded resource exhaustion and subsequent
| denial of service. This CVE covers quadratic complexity issues when
| parsing text which leads with either large numbers of `>` or `-`
| characters. This issue has been addressed in version 0.29.0.gfm.10.
| Users are advised to upgrade. Users unable to upgrade should validate
| that their input comes from trusted sources.
https://github.com/github/cmark-gfm/security/advisories/GHSA-66g8-4hjf-77xh
https://github.com/github/cmark-gfm/commit/2300c1bd2c8226108885bf019655c4159cf26b59
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-26485
https://www.cve.org/CVERecord?id=CVE-2023-26485
[1] https://security-tracker.debian.org/tracker/CVE-2023-24824
https://www.cve.org/CVERecord?id=CVE-2023-24824
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: python-cmarkgfm
Source-Version: 2024.11.20-1
Done: Colin Watson <cjwat...@debian.org>
We believe that the bug you reported is fixed in the latest version of
python-cmarkgfm, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1034...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Colin Watson <cjwat...@debian.org> (supplier of updated python-cmarkgfm package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 23 Apr 2025 10:54:43 +0100
Source: python-cmarkgfm
Architecture: source
Version: 2024.11.20-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Team <team+pyt...@tracker.debian.org>
Changed-By: Colin Watson <cjwat...@debian.org>
Closes: 1033111 1034172 1034887 1041098 1072833
Changes:
python-cmarkgfm (2024.11.20-1) unstable; urgency=medium
.
* Team upload.
* d/watch: Switch back to PyPI, since its tarballs include submodule
contents.
* New upstream release (closes: #1072833):
- CVE-2022-39209: Remove polynomial time complexity in autolink
extension (closes: #1034887).
- CVE-2023-22483: Quadratic complexity bugs may lead to a denial of
service.
- CVE-2023-22484: Quadratic complexity bug in handle_pointy_brace may
lead to a denial of service.
- CVE-2023-22485: Out-of-bounds read in validate_protocol.
- CVE-2023-22486: Quadratic complexity bug in handle_close_bracket may
lead to a denial of service (closes: #1033111).
- CVE-2023-24824, CVE-2023-26485: Fix quadratic behavior in rendering
(closes: #1034172).
- CVE-2023-37463: Quadratic complexity bugs may lead to a denial of
service (closes: #1041098).
Checksums-Sha1:
c563f27061bc704780155ef3a5c679c873dcc7a8 2354 python-cmarkgfm_2024.11.20-1.dsc
70fc743fdd846c674cce465fa22808dfa9b633f7 146799
python-cmarkgfm_2024.11.20.orig.tar.gz
a0d8930a534cdb13375da1aff98d87ed1d312151 5260
python-cmarkgfm_2024.11.20-1.debian.tar.xz
Checksums-Sha256:
fd871cc640260c2c288f37a4b0e0f467c7417311eef7668f9e4dd4a2a8566d7a 2354
python-cmarkgfm_2024.11.20-1.dsc
5dd01cf61975a8a57213cdef5ed870e936032f13fe93d60ddf659ffb9cf73c6a 146799
python-cmarkgfm_2024.11.20.orig.tar.gz
ee4b9d0725a6fc51cd4f8c01fad94e50a322dc48300f07ed54850be6c41fb2b0 5260
python-cmarkgfm_2024.11.20-1.debian.tar.xz
Files:
c997cd033350e5af9a57fddd00990e74 2354 python optional
python-cmarkgfm_2024.11.20-1.dsc
669ad7aff2f7706f754c627188f343a9 146799 python optional
python-cmarkgfm_2024.11.20.orig.tar.gz
8b9609459fb00fef095abb23c398fd35 5260 python optional
python-cmarkgfm_2024.11.20-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAmgIuR0ACgkQOTWH2X2G
UAtMwhAAtji8U+B+g/hg4yBBlzWS1IvJMb7iSPfpFBpW374oDIVg2cUePHKlgErX
jGY35FSBEZ6MN6Bveeb7W0H3yWFWsGUeGOtjypOTDPDoP0ZW1P9B9phOn4+abzNU
1o0NiPdA+fzIstOMF3AmnBPuMbsG0lFgWK0IJFRAl3Smpd4OVLkYSvUfZkETXF2s
W/cht1bjrCw1VAx1vv/CEuv8f0Z/PvHSBrFLDVnqxZqzCrZ8nYNK7xfD7wTs3Zjx
RfVKQOv8yEE0YULY+6MEHlPJcajrH3CaoASeVqFwemJK810gUdBj+v5kWA/zJkzk
UCAH/B9K5+GyXhabk/EYQULWT4XF4faaj9PIbhTyGk2LP6QGMdccTPvNfkylolu4
Fl/3HSt331/CEdk/4gcmm93Wfittlil7tABsK0MeMwzFaCwfBzL6pnMDlf+J2hZC
2BDZAAmyNbuACYmbdOzGCnH8DJ6cZmhf4jSakXtBimD495Id5MN6yU956xyTFqDr
c4oLI/hUnQFgGOVmDnBM10vWO9WBsDd4rnfEh8mZjFFU1AZgIhI0N9IMboS0dqny
pne/l/aYs1BaL18dNihJbj/GPmS0/IXpVMPNAMn0/JiJugAnq1TxT0QaSBRMnJuq
PC2eNbh5XULvGmHLnmZ9n5HScKc+c/h9+kLIRr9lryyKcTlUc3E=
=pAuk
-----END PGP SIGNATURE-----
pgp5tPbUJL0MV.pgp
Description: PGP signature
--- End Message ---
