Your message dated Mon, 22 Sep 2025 16:18:29 -0700
with message-id <1905754.atdPhlSkOF@soren-desktop>
and subject line ruby-commonmarker: CVE-2022-24724 - integer overflow prior to
0.29.0.gfm.3 and 0.28.3.gfm.21 in cmark extension
has caused the Debian Bug report #1006759,
regarding ruby-commonmarker: CVE-2022-24724 - integer overflow prior to
0.29.0.gfm.3 and 0.28.3.gfm.21 in cmark extension
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1006759: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1006759
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: ruby-commonmarker
Version: 0.23.2-2
Severity: important
Tags: security
X-Debbugs-Cc: [email protected], Debian Security Team
<[email protected]>
iHi,
The following vulnerability was published for ruby-commonmarker.
https://sources.debian.org/src/ruby-commonmarker/0.23.2-2/ext/commonmarker/table.c/?hl=161#L161
CVE-2022-24724[0]:
| cmark-gfm is GitHub's extended version of the C reference
| implementation of CommonMark. Prior to versions 0.29.0.gfm.3 and
| 0.28.3.gfm.21, an integer overflow in cmark-gfm's table row parsing
| `table.c:row_from_string` may lead to heap memory corruption when
| parsing tables who's marker rows contain more than UINT16_MAX columns.
| The impact of this heap corruption ranges from Information Leak to
| Arbitrary Code Execution depending on how and where `cmark-gfm` is
| used. If `cmark-gfm` is used for rendering remote user controlled
| markdown, this vulnerability may lead to Remote Code Execution (RCE)
| in applications employing affected versions of the `cmark-gfm`
| library. This vulnerability has been patched in the following cmark-
| gfm versions 0.29.0.gfm.3 and 0.28.3.gfm.21. A workaround is
| available. The vulnerability exists in the table markdown extensions
| of cmark-gfm. Disabling the table extension will prevent this
| vulnerability from being triggered.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-24724
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24724
Please adjust the affected versions in the BTS as needed.
-- System Information:
Debian Release: bookworm/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.16.0-1-amd64 (SMP w/16 CPU threads; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8),
LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
--- End Message ---
--- Begin Message ---
Closing this bug report as it has been fixed for a while.
--
Soren Stoutner
[email protected]
signature.asc
Description: This is a digitally signed message part.
--- End Message ---
_______________________________________________
Pkg-ruby-extras-maintainers mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers
