Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock X-Debbugs-Cc: patfr...@gmail.com
Please unblock package md4c [ Reason ] It fixes CVE-2021-30027 affecting bullseye. See Security tracker at [1]. [ Impact ] A malformed Markdown documenta malformed Markdown document can allow attackers to trigger the use of uninitialised memory and thereby cause a denial of service. See Security tracker at [1]. [ Tests ] The upstream issue tracker [2] provides an example document which can trigger the bug. The issue is marked as fixed upstream though no automated tests cover the issue. [ Risks ] The package is a key package, i.e. a dependency of libqt5gui5 which in turn is a dependency of a plethora of packages. The changes are not too extensive though not trivial. I am not familiar with the source code to determine whether the changes cause any other risks. [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing [ Other info ] Security Tracker: [1] https://security-tracker.debian.org/tracker/CVE-2021-30027 Upstream Issue Tracker: [2] https://github.com/mity/md4c/issues/155 unblock md4c/0.4.7-2 diff -Nru md4c-0.4.7/debian/changelog md4c-0.4.7/debian/changelog --- md4c-0.4.7/debian/changelog 2020-12-30 09:21:56.000000000 +0100 +++ md4c-0.4.7/debian/changelog 2021-05-03 15:21:36.000000000 +0200 @@ -1,3 +1,10 @@ +md4c (0.4.7-2) unstable; urgency=medium + + * Cherry-pick commit to handle CVE-2021-30027 which can cause a denial + of service (Closes: #987799). + + -- Patrick Franz <patfr...@gmail.com> Mon, 03 May 2021 15:21:36 +0200 + md4c (0.4.7-1) unstable; urgency=medium * New upstream release (0.4.7). diff -Nru md4c-0.4.7/debian/patches/fix_CVE-2021-30027.patch md4c-0.4.7/debian/patches/fix_CVE-2021-30027.patch --- md4c-0.4.7/debian/patches/fix_CVE-2021-30027.patch 1970-01-01 01:00:00.000000000 +0100 +++ md4c-0.4.7/debian/patches/fix_CVE-2021-30027.patch 2021-05-03 15:21:36.000000000 +0200 @@ -0,0 +1,87 @@ +Description: Fix CVE-2021-30027 + md_analyze_line in md4c.c in md4c 0.4.7 allows attackers + to trigger use of uninitialized memory, and cause + a denial of service via a malformed Markdown document. +Author: upstream +Forwarded: not-needed + +--- + src/md4c.c | 24 +++++++++++++++--------- + 1 file changed, 15 insertions(+), 9 deletions(-) + +--- a/src/md4c.c ++++ b/src/md4c.c +@@ -5864,7 +5864,7 @@ md_analyze_line(MD_CTX* ctx, OFF beg, OFF* p_end, + + /* Check whether we are Setext underline. */ + if(line->indent < ctx->code_indent_offset && pivot_line->type == MD_LINE_TEXT +- && (CH(off) == _T('=') || CH(off) == _T('-')) ++ && off < ctx->size && ISANYOF2(off, _T('='), _T('-')) + && (n_parents == ctx->n_containers)) + { + unsigned level; +@@ -5877,7 +5877,10 @@ md_analyze_line(MD_CTX* ctx, OFF beg, OFF* p_end, + } + + /* Check for thematic break line. */ +- if(line->indent < ctx->code_indent_offset && ISANYOF(off, _T("-_*")) && off >= hr_killer) { ++ if(line->indent < ctx->code_indent_offset ++ && off < ctx->size && off >= hr_killer ++ && ISANYOF(off, _T("-_*"))) ++ { + if(md_is_hr_line(ctx, off, &off, &hr_killer)) { + line->type = MD_LINE_HR; + break; +@@ -5941,7 +5944,7 @@ md_analyze_line(MD_CTX* ctx, OFF beg, OFF* p_end, + { + /* Noop. List mark followed by a blank line cannot interrupt a paragraph. */ + } else if(pivot_line->type == MD_LINE_TEXT && n_parents == ctx->n_containers && +- (container.ch == _T('.') || container.ch == _T(')')) && container.start != 1) ++ ISANYOF2_(container.ch, _T('.'), _T(')')) && container.start != 1) + { + /* Noop. Ordered list cannot interrupt a paragraph unless the start index is 1. */ + } else { +@@ -5982,7 +5985,9 @@ md_analyze_line(MD_CTX* ctx, OFF beg, OFF* p_end, + } + + /* Check for ATX header. */ +- if(line->indent < ctx->code_indent_offset && CH(off) == _T('#')) { ++ if(line->indent < ctx->code_indent_offset && ++ off < ctx->size && CH(off) == _T('#')) ++ { + unsigned level; + + if(md_is_atxheader_line(ctx, off, &line->beg, &off, &level)) { +@@ -5993,7 +5998,7 @@ md_analyze_line(MD_CTX* ctx, OFF beg, OFF* p_end, + } + + /* Check whether we are starting code fence. */ +- if(CH(off) == _T('`') || CH(off) == _T('~')) { ++ if(off < ctx->size && ISANYOF2(off, _T('`'), _T('~'))) { + if(md_is_opening_code_fence(ctx, off, &off)) { + line->type = MD_LINE_FENCEDCODE; + line->data = 1; +@@ -6002,7 +6007,8 @@ md_analyze_line(MD_CTX* ctx, OFF beg, OFF* p_end, + } + + /* Check for start of raw HTML block. */ +- if(CH(off) == _T('<') && !(ctx->parser.flags & MD_FLAG_NOHTMLBLOCKS)) ++ if(off < ctx->size && CH(off) == _T('<') ++ && !(ctx->parser.flags & MD_FLAG_NOHTMLBLOCKS)) + { + ctx->html_block_type = md_is_html_block_start_condition(ctx, off); + +@@ -6023,9 +6029,9 @@ md_analyze_line(MD_CTX* ctx, OFF beg, OFF* p_end, + } + + /* Check for table underline. */ +- if((ctx->parser.flags & MD_FLAG_TABLES) && pivot_line->type == MD_LINE_TEXT && +- (CH(off) == _T('|') || CH(off) == _T('-') || CH(off) == _T(':')) && +- n_parents == ctx->n_containers) ++ if((ctx->parser.flags & MD_FLAG_TABLES) && pivot_line->type == MD_LINE_TEXT ++ && off < ctx->size && ISANYOF3(off, _T('|'), _T('-'), _T(':')) ++ && n_parents == ctx->n_containers) + { + unsigned col_count; + +-- diff -Nru md4c-0.4.7/debian/patches/series md4c-0.4.7/debian/patches/series --- md4c-0.4.7/debian/patches/series 2020-09-30 17:22:41.000000000 +0200 +++ md4c-0.4.7/debian/patches/series 2021-05-03 15:14:31.000000000 +0200 @@ -1 +1,2 @@ disable_building_the_example.patch +fix_CVE-2021-30027.patch