Control: tags 984668 + patch Control: tags 984668 + pending
Dear maintainer, I've prepared an NMU for python-markdown2 (versioned as 2.3.10-1.1) and uploaded it to DELAYED/2. Please feel free to tell me if I should delay it longer. Regards, Salvatore
diff -Nru python-markdown2-2.3.10/debian/changelog python-markdown2-2.3.10/debian/changelog --- python-markdown2-2.3.10/debian/changelog 2021-01-16 23:04:54.000000000 +0100 +++ python-markdown2-2.3.10/debian/changelog 2021-06-05 10:38:29.000000000 +0200 @@ -1,3 +1,10 @@ +python-markdown2 (2.3.10-1.1) unstable; urgency=medium + + * Non-maintainer upload. + * Regex DOS fixes (CVE-2021-26813) (Closes: #984668) + + -- Salvatore Bonaccorso <car...@debian.org> Sat, 05 Jun 2021 10:38:29 +0200 + python-markdown2 (2.3.10-1) unstable; urgency=medium [ Ond??ej Nov?? ] diff -Nru python-markdown2-2.3.10/debian/patches/CVE-2021-26813/0001-Regex-DOS-fixes.patch python-markdown2-2.3.10/debian/patches/CVE-2021-26813/0001-Regex-DOS-fixes.patch --- python-markdown2-2.3.10/debian/patches/CVE-2021-26813/0001-Regex-DOS-fixes.patch 1970-01-01 01:00:00.000000000 +0100 +++ python-markdown2-2.3.10/debian/patches/CVE-2021-26813/0001-Regex-DOS-fixes.patch 2021-06-05 10:37:42.000000000 +0200 @@ -0,0 +1,57 @@ +From: Nicholas Serra <nickse...@gmail.com> +Date: Wed, 20 Jan 2021 17:23:21 -0500 +Subject: [1/3] Regex DOS fixes +Origin: https://github.com/trentm/python-markdown2/commit/96dff22341489459c8cb832fdfd066a588ec23bf +Bug: https://github.com/trentm/python-markdown2/pull/387 +Bug-Debian: https://bugs.debian.org/984668 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-26813 + +--- + lib/markdown2.py | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/lib/markdown2.py b/lib/markdown2.py +index bb5260bef210..f3e41cc19d13 100755 +--- a/lib/markdown2.py ++++ b/lib/markdown2.py +@@ -532,7 +532,7 @@ class Markdown(object): + + return tail + +- _emacs_oneliner_vars_pat = re.compile(r"-\*-\s*([^\r\n]*?)\s*-\*-", re.UNICODE) ++ _emacs_oneliner_vars_pat = re.compile(r"-\*-\s*(?:(\S[^\r\n]*?)([\r\n]\s*)?)?-\*-", re.UNICODE) + # This regular expression is intended to match blocks like this: + # PREFIX Local Variables: SUFFIX + # PREFIX mode: Tcl SUFFIX +@@ -892,8 +892,8 @@ class Markdown(object): + ''' + # First pass to define all the references + self.regex_defns = re.compile(r''' +- \[\#(\w+)\s* # the counter. Open square plus hash plus a word \1 +- ([^@]*)\s* # Some optional characters, that aren't an @. \2 ++ \[\#(\w+) # the counter. Open square plus hash plus a word \1 ++ ([^@]*) # Some optional characters, that aren't an @. \2 + @(\w+) # the id. Should this be normed? \3 + ([^\]]*)\] # The rest of the text up to the terminating ] \4 + ''', re.VERBOSE) +@@ -908,7 +908,7 @@ class Markdown(object): + if len(match.groups()) != 4: + continue + counter = match.group(1) +- text_before = match.group(2) ++ text_before = match.group(2).strip() + ref_id = match.group(3) + text_after = match.group(4) + number = counters.get(counter, 1) +@@ -1926,7 +1926,7 @@ class Markdown(object): + + _fenced_code_block_re = re.compile(r''' + (?:\n+|\A\n?) +- ^```\s*?([\w+-]+)?\s*?\n # opening fence, $1 = optional lang ++ ^```\s{0,2}([\w+-]+)?\s*?\n # opening fence, $1 = optional lang + (.*?) # $2 = code block content + ^```[ \t]*\n # closing fence + ''', re.M | re.X | re.S) +-- +2.32.0.rc0 + diff -Nru python-markdown2-2.3.10/debian/patches/CVE-2021-26813/0002-Pretty-comment-alignment.patch python-markdown2-2.3.10/debian/patches/CVE-2021-26813/0002-Pretty-comment-alignment.patch --- python-markdown2-2.3.10/debian/patches/CVE-2021-26813/0002-Pretty-comment-alignment.patch 1970-01-01 01:00:00.000000000 +0100 +++ python-markdown2-2.3.10/debian/patches/CVE-2021-26813/0002-Pretty-comment-alignment.patch 2021-06-05 10:37:42.000000000 +0200 @@ -0,0 +1,32 @@ +From: Nicholas Serra <nickse...@gmail.com> +Date: Wed, 20 Jan 2021 17:27:21 -0500 +Subject: [2/3] Pretty comment alignment +Origin: https://github.com/trentm/python-markdown2/commit/e1954d3a345fc7a4ccc113bd58f7df81ad63b6ec +Bug: https://github.com/trentm/python-markdown2/pull/387 +Bug-Debian: https://bugs.debian.org/984668 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-26813 + +--- + lib/markdown2.py | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/lib/markdown2.py b/lib/markdown2.py +index f3e41cc19d13..61bb6f691632 100755 +--- a/lib/markdown2.py ++++ b/lib/markdown2.py +@@ -1926,9 +1926,9 @@ class Markdown(object): + + _fenced_code_block_re = re.compile(r''' + (?:\n+|\A\n?) +- ^```\s{0,2}([\w+-]+)?\s*?\n # opening fence, $1 = optional lang +- (.*?) # $2 = code block content +- ^```[ \t]*\n # closing fence ++ ^```\s{0,2}([\w+-]+)?\s*?\n # opening fence, $1 = optional lang ++ (.*?) # $2 = code block content ++ ^```[ \t]*\n # closing fence + ''', re.M | re.X | re.S) + + def _fenced_code_block_sub(self, match): +-- +2.32.0.rc0 + diff -Nru python-markdown2-2.3.10/debian/patches/CVE-2021-26813/0003-Be-forgiving.patch python-markdown2-2.3.10/debian/patches/CVE-2021-26813/0003-Be-forgiving.patch --- python-markdown2-2.3.10/debian/patches/CVE-2021-26813/0003-Be-forgiving.patch 1970-01-01 01:00:00.000000000 +0100 +++ python-markdown2-2.3.10/debian/patches/CVE-2021-26813/0003-Be-forgiving.patch 2021-06-05 10:37:42.000000000 +0200 @@ -0,0 +1,32 @@ +From: Nicholas Serra <nickse...@gmail.com> +Date: Wed, 20 Jan 2021 18:28:54 -0500 +Subject: [3/3] Be forgiving +Origin: https://github.com/trentm/python-markdown2/commit/c4b4ccb3f9da33f29b013d6d765fd223a8277cfe +Bug: https://github.com/trentm/python-markdown2/pull/387 +Bug-Debian: https://bugs.debian.org/984668 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-26813 + +--- + lib/markdown2.py | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/lib/markdown2.py b/lib/markdown2.py +index 61bb6f691632..61b22006e3bc 100755 +--- a/lib/markdown2.py ++++ b/lib/markdown2.py +@@ -1926,9 +1926,9 @@ class Markdown(object): + + _fenced_code_block_re = re.compile(r''' + (?:\n+|\A\n?) +- ^```\s{0,2}([\w+-]+)?\s*?\n # opening fence, $1 = optional lang +- (.*?) # $2 = code block content +- ^```[ \t]*\n # closing fence ++ ^```\s{0,99}([\w+-]+)?\s{0,99}\n # opening fence, $1 = optional lang ++ (.*?) # $2 = code block content ++ ^```[ \t]*\n # closing fence + ''', re.M | re.X | re.S) + + def _fenced_code_block_sub(self, match): +-- +2.32.0.rc0 + diff -Nru python-markdown2-2.3.10/debian/patches/series python-markdown2-2.3.10/debian/patches/series --- python-markdown2-2.3.10/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ python-markdown2-2.3.10/debian/patches/series 2021-06-05 10:38:03.000000000 +0200 @@ -0,0 +1,3 @@ +CVE-2021-26813/0001-Regex-DOS-fixes.patch +CVE-2021-26813/0002-Pretty-comment-alignment.patch +CVE-2021-26813/0003-Be-forgiving.patch
signature.asc
Description: PGP signature
