Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock X-Debbugs-Cc: markdown-it...@packages.debian.org, eam...@yaerobi.com, santi...@debian.org Control: affects -1 + src:markdown-it-py
Please unblock package markdown-it-py [ Reason ] This release apply two patch from upstream to fix two security issues: CVE-2023-26302 and CVE-2023-26303. [ Impact ] The security bugs will be present in Bookworm if the unblock isn't granted: * CVE-2023-26302: Denial of service could be caused to the command line interface of markdown-it-py, before v2.2.0, if an attacker was allowed to use invalid UTF-8 characters as input. * CVE-2023-26303: Denial of service could be caused to markdown-it-py, before v2.2.0, if an attacker was allowed to force null assertions with specially crafted input. [ Tests ] As I didn't found an exploit to test it, I reproduce the tests provided by the upstream and they (the patches) worked ok. [ Risks ] This is a small change in code and cover in upstream tests, and it they are part a new upstream release, so the risk is low. [ Checklist ] [x] all changes are documented in the d/changelog [ ] I reviewed all changes and I approve them - Santiago Ruano Rincón sponsored this package. [x] attach debdiff against the package in testing [ Other info ] (Anything else the release team should know.) unblock markdown-it-py/2.1.0-5 diff -Nru markdown-it-py-2.1.0/debian/changelog markdown-it-py-2.1.0/debian/changelog --- markdown-it-py-2.1.0/debian/changelog 2022-10-01 11:49:00.000000000 -0300 +++ markdown-it-py-2.1.0/debian/changelog 2023-03-31 07:50:42.000000000 -0300 @@ -1,3 +1,13 @@ +markdown-it-py (2.1.0-5) unstable; urgency=high + + * d/paches: Add patches from upstream to fix CVE-2023-26302 and + CVE-2023-26303 (Closes: #1031764). + - The patches added are: + 0001-fix-unnecessary-asserts-leading-to-crashes.patch and + 0002-fix-dos-casued-by-invalid-utf-8-char-as-input.patch. + + -- Emmanuel Arias <eam...@yaerobi.com> Fri, 31 Mar 2023 07:50:42 -0300 + markdown-it-py (2.1.0-4) unstable; urgency=medium * Team upload. diff -Nru markdown-it-py-2.1.0/debian/patches/0001-fix-unnecessary-asserts-leading-to-crashes.patch markdown-it-py-2.1.0/debian/patches/0001-fix-unnecessary-asserts-leading-to-crashes.patch --- markdown-it-py-2.1.0/debian/patches/0001-fix-unnecessary-asserts-leading-to-crashes.patch 1969-12-31 21:00:00.000000000 -0300 +++ markdown-it-py-2.1.0/debian/patches/0001-fix-unnecessary-asserts-leading-to-crashes.patch 2023-03-31 07:50:42.000000000 -0300 @@ -0,0 +1,116 @@ +From ae03c6107dfa18e648f6fdd1280f5b89092d5d49 Mon Sep 17 00:00:00 2001 +From: Chris Sewell <chrisj_sew...@hotmail.com> +Date: Wed, 22 Feb 2023 05:56:39 +0100 +Subject: [PATCH] =?UTF-8?q?=F0=9F=90=9B=20FIX:=20CVE-2023-26303=20(#246)?= +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Bug-Debian: https://bugs.debian.org/1031764 + +Fix unnecessary asserts, leading to crashes +--- + markdown_it/renderer.py | 20 ++++++++------------ + markdown_it/rules_core/replacements.py | 3 ++- + markdown_it/rules_core/smartquotes.py | 4 ++-- + tests/test_port/fixtures/issue-fixes.md | 9 +++++++++ + tests/test_port/test_fixtures.py | 1 + + 5 files changed, 22 insertions(+), 15 deletions(-) + +Index: markdown-it-py-2.1.0/markdown_it/renderer.py +=================================================================== +--- markdown-it-py-2.1.0.orig/markdown_it/renderer.py 2023-03-31 07:50:21.639213371 -0300 ++++ markdown-it-py-2.1.0/markdown_it/renderer.py 2023-03-31 07:50:21.635213318 -0300 +@@ -84,8 +84,8 @@ + for i, token in enumerate(tokens): + + if token.type == "inline": +- assert token.children is not None +- result += self.renderInline(token.children, options, env) ++ if token.children: ++ result += self.renderInline(token.children, options, env) + elif token.type in self.rules: + result += self.rules[token.type](tokens, i, options, env) + else: +@@ -207,8 +207,8 @@ + if token.type == "text": + result += token.content + elif token.type == "image": +- assert token.children is not None +- result += self.renderInlineAsText(token.children, options, env) ++ if token.children: ++ result += self.renderInlineAsText(token.children, options, env) + elif token.type == "softbreak": + result += "\n" + +@@ -306,14 +306,10 @@ + + # "alt" attr MUST be set, even if empty. Because it's mandatory and + # should be placed on proper position for tests. +- +- assert ( +- token.attrs and "alt" in token.attrs +- ), '"image" token\'s attrs must contain `alt`' +- +- # Replace content with actual value +- +- token.attrSet("alt", self.renderInlineAsText(token.children, options, env)) ++ if token.children: ++ token.attrSet("alt", self.renderInlineAsText(token.children, options, env)) ++ else: ++ token.attrSet("alt", "") + + return self.renderToken(tokens, idx, options, env) + +Index: markdown-it-py-2.1.0/markdown_it/rules_core/replacements.py +=================================================================== +--- markdown-it-py-2.1.0.orig/markdown_it/rules_core/replacements.py 2023-03-31 07:50:21.639213371 -0300 ++++ markdown-it-py-2.1.0/markdown_it/rules_core/replacements.py 2023-03-31 07:50:21.635213318 -0300 +@@ -116,7 +116,8 @@ + for token in state.tokens: + if token.type != "inline": + continue +- assert token.children is not None ++ if token.children is None: ++ continue + + if SCOPED_ABBR_RE.search(token.content): + replace_scoped(token.children) +Index: markdown-it-py-2.1.0/markdown_it/rules_core/smartquotes.py +=================================================================== +--- markdown-it-py-2.1.0.orig/markdown_it/rules_core/smartquotes.py 2023-03-31 07:50:21.639213371 -0300 ++++ markdown-it-py-2.1.0/markdown_it/rules_core/smartquotes.py 2023-03-31 07:50:21.635213318 -0300 +@@ -198,5 +198,5 @@ + + if token.type != "inline" or not QUOTE_RE.search(token.content): + continue +- assert token.children is not None +- process_inlines(token.children, state) ++ if token.children is not None: ++ process_inlines(token.children, state) +Index: markdown-it-py-2.1.0/tests/test_port/fixtures/issue-fixes.md +=================================================================== +--- markdown-it-py-2.1.0.orig/tests/test_port/fixtures/issue-fixes.md 2023-03-31 07:50:21.639213371 -0300 ++++ markdown-it-py-2.1.0/tests/test_port/fixtures/issue-fixes.md 2023-03-31 07:50:21.635213318 -0300 +@@ -36,3 +36,12 @@ + . + <p>💬</p> + . ++ ++Fix CVE-2023-26303 ++. ++![![]() ++]([) ++. ++<p><img src="%5B" alt=" ++" /></p> ++. +Index: markdown-it-py-2.1.0/tests/test_port/test_fixtures.py +=================================================================== +--- markdown-it-py-2.1.0.orig/tests/test_port/test_fixtures.py 2023-03-31 07:50:21.639213371 -0300 ++++ markdown-it-py-2.1.0/tests/test_port/test_fixtures.py 2023-03-31 07:50:21.635213318 -0300 +@@ -111,4 +111,5 @@ + def test_issue_fixes(line, title, input, expected): + md = MarkdownIt() + text = md.render(input) ++ print(text) + assert text.rstrip() == expected.rstrip() diff -Nru markdown-it-py-2.1.0/debian/patches/0002-fix-dos-casued-by-invalid-utf-8-char-as-input.patch markdown-it-py-2.1.0/debian/patches/0002-fix-dos-casued-by-invalid-utf-8-char-as-input.patch --- markdown-it-py-2.1.0/debian/patches/0002-fix-dos-casued-by-invalid-utf-8-char-as-input.patch 1969-12-31 21:00:00.000000000 -0300 +++ markdown-it-py-2.1.0/debian/patches/0002-fix-dos-casued-by-invalid-utf-8-char-as-input.patch 2023-03-31 07:50:42.000000000 -0300 @@ -0,0 +1,47 @@ +From e711074fe79be7ff257a41d15969b79edfaa7c8e Mon Sep 17 00:00:00 2001 +From: Chris Sewell <chrisj_sew...@hotmail.com> +Date: Wed, 22 Feb 2023 06:19:13 +0100 +Subject: [PATCH] =?UTF-8?q?=F0=9F=90=9B=20FIX:=20CLI=20crash=20on=20non-ut?= + =?UTF-8?q?f8=20character?= +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Bug-Debian: https://bugs.debian.org/1031764 + +--- + markdown_it/cli/parse.py | 2 +- + tests/test_cli.py | 7 +++++++ + 2 files changed, 8 insertions(+), 1 deletion(-) + +diff --git a/markdown_it/cli/parse.py b/markdown_it/cli/parse.py +index 2d74f55a..890d5de3 100644 +--- a/markdown_it/cli/parse.py ++++ b/markdown_it/cli/parse.py +@@ -35,7 +35,7 @@ def convert_file(filename: str) -> None: + Parse a Markdown file and dump the output to stdout. + """ + try: +- with open(filename, "r") as fin: ++ with open(filename, "r", encoding="utf8", errors="ignore") as fin: + rendered = MarkdownIt().render(fin.read()) + print(rendered, end="") + except OSError: +diff --git a/tests/test_cli.py b/tests/test_cli.py +index 57d6b938..c38e24fd 100644 +--- a/tests/test_cli.py ++++ b/tests/test_cli.py +@@ -20,6 +20,13 @@ def test_parse_fail(): + assert exc_info.value.code == 1 + + ++def test_non_utf8(): ++ with tempfile.TemporaryDirectory() as tempdir: ++ path = pathlib.Path(tempdir).joinpath("test.md") ++ path.write_bytes(b"\x80abc") ++ assert parse.main([str(path)]) == 0 ++ ++ + def test_print_heading(): + with patch("builtins.print") as patched: + parse.print_heading() + diff -Nru markdown-it-py-2.1.0/debian/patches/series markdown-it-py-2.1.0/debian/patches/series --- markdown-it-py-2.1.0/debian/patches/series 1969-12-31 21:00:00.000000000 -0300 +++ markdown-it-py-2.1.0/debian/patches/series 2023-03-31 07:50:42.000000000 -0300 @@ -0,0 +1,2 @@ +0001-fix-unnecessary-asserts-leading-to-crashes.patch +0002-fix-dos-casued-by-invalid-utf-8-char-as-input.patch
