Source: python-cmarkgfm
Version: 0.4.2-1
Severity: important
Tags: security
X-Debbugs-Cc: codeh...@debian.org, Debian Security Team 
<t...@security.debian.org>

Hi,

The following vulnerability was published for python-cmarkgfm.

https://sources.debian.org/src/python-cmarkgfm/0.4.2-1/third_party/cmark/extensions/table.c/?hl=139#L139

CVE-2022-24724[0]:
| cmark-gfm is GitHub's extended version of the C reference
| implementation of CommonMark. Prior to versions 0.29.0.gfm.3 and
| 0.28.3.gfm.21, an integer overflow in cmark-gfm's table row parsing
| `table.c:row_from_string` may lead to heap memory corruption when
| parsing tables who's marker rows contain more than UINT16_MAX columns.
| The impact of this heap corruption ranges from Information Leak to
| Arbitrary Code Execution depending on how and where `cmark-gfm` is
| used. If `cmark-gfm` is used for rendering remote user controlled
| markdown, this vulnerability may lead to Remote Code Execution (RCE)
| in applications employing affected versions of the `cmark-gfm`
| library. This vulnerability has been patched in the following cmark-
| gfm versions 0.29.0.gfm.3 and 0.28.3.gfm.21. A workaround is
| available. The vulnerability exists in the table markdown extensions
| of cmark-gfm. Disabling the table extension will prevent this
| vulnerability from being triggered.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2022-24724
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24724

Please adjust the affected versions in the BTS as needed.


-- System Information:
Debian Release: bookworm/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.16.0-1-amd64 (SMP w/16 CPU threads; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

_______________________________________________
Python-modules-team mailing list
Python-modules-team@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team

Reply via email to