Hi Keith, On Sat, Jan 04, 2025 at 12:47:51PM +0100, Yadd wrote: > Hi, > > this CVE is unfixed for more than 1 year, however it's easy to fix with a > simple upgrade to last version + following patch: > > diff --git a/debian/changelog b/debian/changelog > index b95a02e..fdb37b9 100644 > --- a/debian/changelog > +++ b/debian/changelog > @@ -1,3 +1,11 @@ > +cmark-gfm (0.29.0.gfm.13-1) UNRELEASED; urgency=medium > + > + * Non maintainer upload > + * Drop 2 patches, now included in upstream source > + * Update install > + > + -- Yadd <y...@debian.org> Sat, 04 Jan 2025 12:38:37 +0100 > + > cmark-gfm (0.29.0.gfm.6-1) unstable; urgency=medium > > * New upstream version. > diff --git a/debian/libcmark-gfm-extensions-dev.install > b/debian/libcmark-gfm-extensions-dev.install > index 116255d..da1ee72 100644 > --- a/debian/libcmark-gfm-extensions-dev.install > +++ b/debian/libcmark-gfm-extensions-dev.install > @@ -2,4 +2,3 @@ usr/lib/*/libcmark-gfm-extensions.so > usr/lib/*/libcmark-gfm-extensions.a > usr/include/cmark-gfm-core-extensions.h > usr/include/cmark-gfm-extension_api.h > -usr/include/cmark-gfm-extensions_export.h > diff --git a/debian/patches/series b/debian/patches/series > index afae227..4b5fc15 100644 > --- a/debian/patches/series > +++ b/debian/patches/series > @@ -1,3 +1,3 @@ > -0001-Use-stdbool.h-instead-of-config.h-in-published-heade.patch > -0002-man-Switch-safe-option-for-unsafe-in-man-page.patch > +#0001-Use-stdbool.h-instead-of-config.h-in-published-heade.patch > +#0002-man-Switch-safe-option-for-unsafe-in-man-page.patch > 0003-Install-all-headers-in-include-cmark-gfm.patch
As Yadd says, it's easy to fix this RC bug. I also note that debian/control lists https://github.com/github/cmark as the upstream source; however, that is a fork of the original source at https://github.com/commonmark/cmark which is now at version 0.31.1. Please could you release an updated version to close this RC bug, which is causing problems for other packages? Otherwise I'll do an NMU of 0.31.1. Best wishes, Julian
