Your message dated Thu, 6 May 2021 14:10:43 +0200
with message-id
<cam8zjqvmvbne_2aszshr9ga6gg9jea4bw45p4fhvmfcq6du...@mail.gmail.com>
and subject line Re: Bug#988118: unblock: md4c/0.4.7-2
has caused the Debian Bug report #988118,
regarding unblock: md4c/0.4.7-2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
988118: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988118
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: patfr...@gmail.com
Please unblock package md4c
[ Reason ]
It fixes CVE-2021-30027 affecting bullseye.
See Security tracker at [1].
[ Impact ]
A malformed Markdown documenta malformed Markdown document can allow
attackers to trigger the use of uninitialised memory and thereby
cause a denial of service.
See Security tracker at [1].
[ Tests ]
The upstream issue tracker [2] provides an example document which
can trigger the bug.
The issue is marked as fixed upstream though no automated tests
cover the issue.
[ Risks ]
The package is a key package, i.e. a dependency of libqt5gui5 which
in turn is a dependency of a plethora of packages.
The changes are not too extensive though not trivial. I am not
familiar with the source code to determine whether the changes
cause any other risks.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
[ Other info ]
Security Tracker:
[1] https://security-tracker.debian.org/tracker/CVE-2021-30027
Upstream Issue Tracker:
[2] https://github.com/mity/md4c/issues/155
unblock md4c/0.4.7-2
diff -Nru md4c-0.4.7/debian/changelog md4c-0.4.7/debian/changelog
--- md4c-0.4.7/debian/changelog 2020-12-30 09:21:56.000000000 +0100
+++ md4c-0.4.7/debian/changelog 2021-05-03 15:21:36.000000000 +0200
@@ -1,3 +1,10 @@
+md4c (0.4.7-2) unstable; urgency=medium
+
+ * Cherry-pick commit to handle CVE-2021-30027 which can cause a denial
+ of service (Closes: #987799).
+
+ -- Patrick Franz <patfr...@gmail.com> Mon, 03 May 2021 15:21:36 +0200
+
md4c (0.4.7-1) unstable; urgency=medium
* New upstream release (0.4.7).
diff -Nru md4c-0.4.7/debian/patches/fix_CVE-2021-30027.patch
md4c-0.4.7/debian/patches/fix_CVE-2021-30027.patch
--- md4c-0.4.7/debian/patches/fix_CVE-2021-30027.patch 1970-01-01
01:00:00.000000000 +0100
+++ md4c-0.4.7/debian/patches/fix_CVE-2021-30027.patch 2021-05-03
15:21:36.000000000 +0200
@@ -0,0 +1,87 @@
+Description: Fix CVE-2021-30027
+ md_analyze_line in md4c.c in md4c 0.4.7 allows attackers
+ to trigger use of uninitialized memory, and cause
+ a denial of service via a malformed Markdown document.
+Author: upstream
+Forwarded: not-needed
+
+---
+ src/md4c.c | 24 +++++++++++++++---------
+ 1 file changed, 15 insertions(+), 9 deletions(-)
+
+--- a/src/md4c.c
++++ b/src/md4c.c
+@@ -5864,7 +5864,7 @@ md_analyze_line(MD_CTX* ctx, OFF beg, OFF* p_end,
+
+ /* Check whether we are Setext underline. */
+ if(line->indent < ctx->code_indent_offset && pivot_line->type ==
MD_LINE_TEXT
+- && (CH(off) == _T('=') || CH(off) == _T('-'))
++ && off < ctx->size && ISANYOF2(off, _T('='), _T('-'))
+ && (n_parents == ctx->n_containers))
+ {
+ unsigned level;
+@@ -5877,7 +5877,10 @@ md_analyze_line(MD_CTX* ctx, OFF beg, OFF* p_end,
+ }
+
+ /* Check for thematic break line. */
+- if(line->indent < ctx->code_indent_offset && ISANYOF(off,
_T("-_*")) && off >= hr_killer) {
++ if(line->indent < ctx->code_indent_offset
++ && off < ctx->size && off >= hr_killer
++ && ISANYOF(off, _T("-_*")))
++ {
+ if(md_is_hr_line(ctx, off, &off, &hr_killer)) {
+ line->type = MD_LINE_HR;
+ break;
+@@ -5941,7 +5944,7 @@ md_analyze_line(MD_CTX* ctx, OFF beg, OFF* p_end,
+ {
+ /* Noop. List mark followed by a blank line cannot interrupt
a paragraph. */
+ } else if(pivot_line->type == MD_LINE_TEXT && n_parents ==
ctx->n_containers &&
+- (container.ch == _T('.') || container.ch == _T(')'))
&& container.start != 1)
++ ISANYOF2_(container.ch, _T('.'), _T(')')) &&
container.start != 1)
+ {
+ /* Noop. Ordered list cannot interrupt a paragraph unless the
start index is 1. */
+ } else {
+@@ -5982,7 +5985,9 @@ md_analyze_line(MD_CTX* ctx, OFF beg, OFF* p_end,
+ }
+
+ /* Check for ATX header. */
+- if(line->indent < ctx->code_indent_offset && CH(off) == _T('#')) {
++ if(line->indent < ctx->code_indent_offset &&
++ off < ctx->size && CH(off) == _T('#'))
++ {
+ unsigned level;
+
+ if(md_is_atxheader_line(ctx, off, &line->beg, &off, &level)) {
+@@ -5993,7 +5998,7 @@ md_analyze_line(MD_CTX* ctx, OFF beg, OFF* p_end,
+ }
+
+ /* Check whether we are starting code fence. */
+- if(CH(off) == _T('`') || CH(off) == _T('~')) {
++ if(off < ctx->size && ISANYOF2(off, _T('`'), _T('~'))) {
+ if(md_is_opening_code_fence(ctx, off, &off)) {
+ line->type = MD_LINE_FENCEDCODE;
+ line->data = 1;
+@@ -6002,7 +6007,8 @@ md_analyze_line(MD_CTX* ctx, OFF beg, OFF* p_end,
+ }
+
+ /* Check for start of raw HTML block. */
+- if(CH(off) == _T('<') && !(ctx->parser.flags &
MD_FLAG_NOHTMLBLOCKS))
++ if(off < ctx->size && CH(off) == _T('<')
++ && !(ctx->parser.flags & MD_FLAG_NOHTMLBLOCKS))
+ {
+ ctx->html_block_type = md_is_html_block_start_condition(ctx, off);
+
+@@ -6023,9 +6029,9 @@ md_analyze_line(MD_CTX* ctx, OFF beg, OFF* p_end,
+ }
+
+ /* Check for table underline. */
+- if((ctx->parser.flags & MD_FLAG_TABLES) && pivot_line->type ==
MD_LINE_TEXT &&
+- (CH(off) == _T('|') || CH(off) == _T('-') || CH(off) == _T(':'))
&&
+- n_parents == ctx->n_containers)
++ if((ctx->parser.flags & MD_FLAG_TABLES) && pivot_line->type ==
MD_LINE_TEXT
++ && off < ctx->size && ISANYOF3(off, _T('|'), _T('-'), _T(':'))
++ && n_parents == ctx->n_containers)
+ {
+ unsigned col_count;
+
+--
diff -Nru md4c-0.4.7/debian/patches/series md4c-0.4.7/debian/patches/series
--- md4c-0.4.7/debian/patches/series 2020-09-30 17:22:41.000000000 +0200
+++ md4c-0.4.7/debian/patches/series 2021-05-03 15:14:31.000000000 +0200
@@ -1 +1,2 @@
disable_building_the_example.patch
+fix_CVE-2021-30027.patch
--- End Message ---
--- Begin Message ---
Unblocked.
--- End Message ---
