Package: release.debian.org Severity: normal Tags: trixie X-Debbugs-Cc: [email protected] Control: affects -1 + src:python-markdown User: [email protected] Usertags: pu
[ Reason ]
This fixes tests failures with python3.13 >= 3.13.5-2+deb13u1, where some
changes were made to html.parser module to address CVE-2025-6069, which
broke Python-Markdown because it heavily relies on html.parser internals.
[ Impact ]
python-markdown FTBFS without these changes, see #1137043.
[ Tests ]
There are automated tests, which caught the issue and made it FTBFS.
[ Risks ]
I backported a minimal set of changes needed for the tests to pass. These
changes should be safe.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
* Adapt to changes in html.parser module in the new Python, backported
to Trixie as part of CVE fixes (closes: #1137043).
[ Other info ]
A similar upload for Bookworm will also have a fix for CVE-2025-69534.
I am not including it here, since it is relevant only for Python < 3.13.
--
Dmitry Shachnev
--- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +python-markdown (3.7-2+deb13u1) trixie; urgency=medium + + * Adapt to changes in html.parser module in the new Python, backported + to Trixie as part of CVE fixes (closes: #1137043). + + -- Dmitry Shachnev <[email protected]> Wed, 20 May 2026 11:17:38 +0300 + python-markdown (3.7-2) unstable; urgency=medium * Mark both binary packages as Multi-Arch: foreign (closes: #1078025). --- a/debian/gbp.conf +++ b/debian/gbp.conf @@ -1,2 +1,2 @@ [DEFAULT] -debian-branch=debian/master +debian-branch=debian/trixie --- a/debian/gitlab-ci.yml +++ b/debian/gitlab-ci.yml @@ -3,4 +3,4 @@ include: - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml variables: - RELEASE: 'unstable' + RELEASE: 'trixie' --- /dev/null +++ b/debian/patches/fixes_for_new_python.diff @@ -0,0 +1,59 @@ +From: Isaac Muse <[email protected]> +Date: Thu, 19 Jun 2025 09:46:13 -0600 +Subject: Fixes for Python 3.14 + +- Fix issue with unclosed HTML tag `<foo` +- Fix issue with unclosed comments + +Fixes #1537 + +(cherry picked from commit 9980cb5b27b07ff48283178d98213e41543701ec) +--- + markdown/htmlparser.py | 18 +++++++++++++++++- + 1 file changed, 17 insertions(+), 1 deletion(-) + +diff --git a/markdown/htmlparser.py b/markdown/htmlparser.py +index 33b918d..6e47155 100644 +--- a/markdown/htmlparser.py ++++ b/markdown/htmlparser.py +@@ -89,6 +89,8 @@ class HTMLExtractor(htmlparser.HTMLParser): + + self.lineno_start_cache = [0] + ++ self.override_comment_update = False ++ + # This calls self.reset + super().__init__(*args, **kwargs) + self.md = md +@@ -249,8 +251,21 @@ class HTMLExtractor(htmlparser.HTMLParser): + self.handle_empty_tag('&{};'.format(name), is_block=False) + + def handle_comment(self, data: str): ++ # Check if the comment is unclosed, if so, we need to override position ++ i = self.line_offset + self.offset + len(data) + 4 ++ if self.rawdata[i:i + 3] != '-->': ++ self.handle_data('<') ++ self.override_comment_update = True ++ return + self.handle_empty_tag('<!--{}-->'.format(data), is_block=True) + ++ def updatepos(self, i: int, j: int) -> int: ++ if self.override_comment_update: ++ self.override_comment_update = False ++ i = 0 ++ j = 1 ++ return super().updatepos(i, j) ++ + def handle_decl(self, data: str): + self.handle_empty_tag('<!{}>'.format(data), is_block=True) + +@@ -300,7 +315,8 @@ class HTMLExtractor(htmlparser.HTMLParser): + self.__starttag_text = None + endpos = self.check_for_whole_start_tag(i) + if endpos < 0: +- return endpos ++ self.handle_data(self.rawdata[i:i + 1]) ++ return i + 1 + rawdata = self.rawdata + self.__starttag_text = rawdata[i:endpos] + --- a/debian/patches/series +++ b/debian/patches/series @@ -1,3 +1,4 @@ disable_directory_urls.diff disable_gh_links.diff local_inventory.diff +fixes_for_new_python.diff
signature.asc
Description: PGP signature
