Your message dated Wed, 21 Dec 2022 22:21:19 +0000 with message-id <e1p87sh-00cvqa...@fasolo.debian.org> and subject line Bug#1006757: fixed in ghostwriter 2.1.6+ds-1 has caused the Debian Bug report #1006757, regarding ghostwriter: CVE-2022-24724 - integer overflow prior to 0.29.0.gfm.3 and 0.28.3.gfm.21 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1006757: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1006757 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: ghostwriter Version: 2.1.1-1 Severity: important Tags: security X-Debbugs-Cc: codeh...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerability was published for ghostwriter. https://sources.debian.org/src/ghostwriter/2.1.1-1/3rdparty/cmark-gfm/extensions/table.c/?hl=154#L154 CVE-2022-24724[0]: | cmark-gfm is GitHub's extended version of the C reference | implementation of CommonMark. Prior to versions 0.29.0.gfm.3 and | 0.28.3.gfm.21, an integer overflow in cmark-gfm's table row parsing | `table.c:row_from_string` may lead to heap memory corruption when | parsing tables who's marker rows contain more than UINT16_MAX columns. | The impact of this heap corruption ranges from Information Leak to | Arbitrary Code Execution depending on how and where `cmark-gfm` is | used. If `cmark-gfm` is used for rendering remote user controlled | markdown, this vulnerability may lead to Remote Code Execution (RCE) | in applications employing affected versions of the `cmark-gfm` | library. This vulnerability has been patched in the following cmark- | gfm versions 0.29.0.gfm.3 and 0.28.3.gfm.21. A workaround is | available. The vulnerability exists in the table markdown extensions | of cmark-gfm. Disabling the table extension will prevent this | vulnerability from being triggered. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-24724 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24724 Please adjust the affected versions in the BTS as needed. -- System Information: Debian Release: bookworm/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.16.0-1-amd64 (SMP w/16 CPU threads; PREEMPT) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
--- End Message ---
--- Begin Message ---Source: ghostwriter Source-Version: 2.1.6+ds-1 Done: Aurélien COUDERC <couc...@debian.org> We believe that the bug you reported is fixed in the latest version of ghostwriter, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1006...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Aurélien COUDERC <couc...@debian.org> (supplier of updated ghostwriter package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 21 Dec 2022 22:51:24 +0100 Source: ghostwriter Architecture: source Version: 2.1.6+ds-1 Distribution: unstable Urgency: medium Maintainer: Debian KDE Extras Team <pkg-kde-ext...@alioth-lists.debian.net> Changed-By: Aurélien COUDERC <couc...@debian.org> Closes: 1006757 Changes: ghostwriter (2.1.6+ds-1) unstable; urgency=medium . [ Sebastien CHAVAUX ] * New upstream release. * debian/control: set Standards-Version: to 4.6.1 * debian/control: address correction * debian/watch: address correction * vulnerability patched in 3rdparty/cmark-gfm CVE-2022-24724, CVE-2022-39209 (Closes: #1006757). . [ Aurélien COUDERC ] * Point watch file to the invent.kde.org GitLab repo tags until we get a proper upstream release. * Add explanation for source lintian overrides. * Bump Standards-Version to 4.6.2, no change required. * Review copyright information. * Replace debian/compat with debhelper-compat build dependency, bump compatibility version to 13. * Use Debian KDE Extras Team as the maintainer, move Sebastien CHAVAUX to uploaders. * Added myself to the uploaders. * Replace vendored libcmark-gfm with the system one. * Add copyright information for vendored libraries. Checksums-Sha1: 9193789e2a88502d2bd47f324bd321f0b25488c8 2295 ghostwriter_2.1.6+ds-1.dsc d44eed234a44b645baa1d210d7a15a865ad8a0a0 3067056 ghostwriter_2.1.6+ds.orig.tar.xz 356cefcad7c80d9159b1d3fe07a2e90786ffd40e 10900 ghostwriter_2.1.6+ds-1.debian.tar.xz f7ad9478a33e7a8feb5d564e5f5a82f337ede604 13994 ghostwriter_2.1.6+ds-1_amd64.buildinfo Checksums-Sha256: 6ce52d75693c8e87c214de78fc199947b8bf3a42b39e4fccfbb756a66995b822 2295 ghostwriter_2.1.6+ds-1.dsc 1e8c2985f2971a9c529476c5696e1edacd256f67d83e2d0dbdaf790c8ea447b9 3067056 ghostwriter_2.1.6+ds.orig.tar.xz 2947c765cc85601c86fa25bd083915f673b1af1ba45f58f9c8335f2d234574c3 10900 ghostwriter_2.1.6+ds-1.debian.tar.xz 4f2e0a2b7b9142c26fd99be5acfc6012854ca2a33734bc1cadd424d83d3f64a4 13994 ghostwriter_2.1.6+ds-1_amd64.buildinfo Files: 27635730c731aa00969e54b8ef11db02 2295 editors optional ghostwriter_2.1.6+ds-1.dsc cba34d2eeb2f9c7811bb83a8974b4e00 3067056 editors optional ghostwriter_2.1.6+ds.orig.tar.xz d715eee303d23d37d8d1788d39d7dc7c 10900 editors optional ghostwriter_2.1.6+ds-1.debian.tar.xz c7cfbe2e8955f10474544b1e0bda0ecc 13994 editors optional ghostwriter_2.1.6+ds-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQJHBAEBCgAxFiEEIW//QAAaDgcOKDsfcaflM/KRoyQFAmOjgtITHGNvdWNvdWZA ZGViaWFuLm9yZwAKCRBxp+Uz8pGjJH60D/9T1VW8Yd5OzkH2HIBLjRlD2ufKb0gr +KKyhiAvg4E41N3s6UbceyiPHDhOUwySG/p1aHQxUpHBlUeXtzYLzKPsjN0ieh7N Wbl4COspsWdomSK3qKaBWQMvfQXYVT3fC7aNtTUfjFxH4pkU6X8VMf+oIwr5ysFB Yqw22FxU6LdlavX3ggIpMxjm9R6Sx2/5B4Krz4yOZbSBn0Naig+6pdxXwJNYEMCO EoTmRNgLaL2fXiWH4r5Le0pU2Jrc/Y0xA4sxNightiXM5Ix9XRq1PPSOoco/h4lj 8luGE+uUOPLOB5JpRBXpDcjjouO/0UpoOk6RgBey5XRdVrgZPDIyotoLXOB8b+82 ygo6UQNrmngK2NqfsqILiYI+6VXZSrnz+n8fQNI6lhU8xd6rs8hFFhSgQ6HjmsI1 xvS4nD7S++jMANxJqWPnfgviWPO44BIYHefUr9HJ/cUp8I/VLzPry5Ye9XiLWA6a 1Rb9k5XwxljjgEDq/IN6dZxNOEOoOYt3u754KkwqG+XTNN9jK+bAuKpBubOsxxEI gCR7vF2G22JLbZm4j8ZCW10Hj3wQ1I6pTxUJnrQqjaa8Ag4szwJR8McWswUkkZ7r j+XlYshYQQSBGJG4G4kDgH7VkXYXiE3jXsKKsvP66ySEZy/+sNh1YehwyRGkpfdy ZY5IqQuUjKsurA== =2XuO -----END PGP SIGNATURE-----
--- End Message ---
