Source: python-cmarkgfm Version: 0.4.2-1 Severity: important Tags: security X-Debbugs-Cc: codeh...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for python-cmarkgfm. https://sources.debian.org/src/python-cmarkgfm/0.4.2-1/third_party/cmark/extensions/table.c/?hl=139#L139 CVE-2022-24724[0]: | cmark-gfm is GitHub's extended version of the C reference | implementation of CommonMark. Prior to versions 0.29.0.gfm.3 and | 0.28.3.gfm.21, an integer overflow in cmark-gfm's table row parsing | `table.c:row_from_string` may lead to heap memory corruption when | parsing tables who's marker rows contain more than UINT16_MAX columns. | The impact of this heap corruption ranges from Information Leak to | Arbitrary Code Execution depending on how and where `cmark-gfm` is | used. If `cmark-gfm` is used for rendering remote user controlled | markdown, this vulnerability may lead to Remote Code Execution (RCE) | in applications employing affected versions of the `cmark-gfm` | library. This vulnerability has been patched in the following cmark- | gfm versions 0.29.0.gfm.3 and 0.28.3.gfm.21. A workaround is | available. The vulnerability exists in the table markdown extensions | of cmark-gfm. Disabling the table extension will prevent this | vulnerability from being triggered. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-24724 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24724 Please adjust the affected versions in the BTS as needed. -- System Information: Debian Release: bookworm/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.16.0-1-amd64 (SMP w/16 CPU threads; PREEMPT) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled _______________________________________________ Python-modules-team mailing list Python-modules-team@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team