[Bug 2003568] Re: [MIR] markdown-it-py
Mark Esler
2003568 at bugs.launchpad.net
Tue Feb 21 23:37:33 UTC 2023
I reviewed markdown-it-py 2.1.0-3 as checked into kinetic. This
shouldn't be considered a full audit but rather a quick gauge of
maintainability.
> Markdown parser, done right. 100% CommonMark support, extensions,
syntax plugins & high speed. Now in Python!
- CVE History:
- none
- crash reported, but not reproducible on v2.1
- https://github.com/executablebooks/markdown-it-py/issues/175
- user controlled crash methods (DoS) identified by Ubuntu Security
- no upstream Security Policy
- Build-Depends?
- lunar main
- debhelper-compat (debhelper)
- python3-all (python3-defaults)
- python3-attr (python-attrs)
- python3-markdown (python-markdown)
- python3-sphinx (sphinx)
- lunar universe
- flit
- pybuild-plugin-pyproject
- python3-commonmark (commonmark)
- python3-pytest (dh-python)
- python3-pytest (pytest)
- python3-mdurl (other MIR open)
- python3-mistletoe (python-mistletoe)
- python3-mistune (mistune)
- python3-psutil (python-psutil)
- pre/post inst/rm scripts?
- yes, standard prerm and postinst generated by dh-python
- init scripts?
- none
- systemd units?
- none
- dbus services?
- none
- setuid binaries?
- none
- binaries in PATH?
- ./usr/bin/markdown-it
- sudo fragments?
- none
- polkit files?
- none
- udev rules?
- none
- unit tests / autopkgtests?
- has build tests and autopkgtests
- autopkgtests failing on i386, not a problem as pytest also fails
- cron jobs?
- none
- Build logs:
- W: python3-markdown-it: no-manual-page [usr/bin/markdown-it]
- nothing concerning
- Processes spawned?
- none
- Memory management?
- standard python
- File IO?
- looks safe
- Logging?
- looks safe
- single use of UserWarning
- stderr if file IO fails
- all other cases use the builtin `logging` library for debug messages
- Environment variable usage?
- none
- Use of privileged functions?
- none
- Use of cryptography / random number sources etc?
- none
- Use of temp files?
- none
- Use of networking?
- none
- Use of WebKit?
- none
- Use of PolicyKit?
- none
- Any significant cppcheck results?
- none
- Any significant Coverity results?
- none
- Any significant shellcheck results?
- none
- Any significant bandit results?
- two try-except-passes in normalize_url.py
Sanitization functions are implemented and some in-line comments clearly
document that XSS attempts are being checked.
Some regex is (inherently) obtuse. See UNICODE_PUNCT_RE.
Quite a few functions are just raise NotImplementedError
escapeHtml() is commented as needing dev review.
linkify_it is an optional runtime dependency. A patch to
`markdown_it/main.py` could force `linkify_it = None` if linkify_it is
not desired in main.
The Security Team discovered and is coordinating with upstream to
disclose CVE-2023-26302 and CVE-2023-26303. When upstream releases
patches for these vulnerabilities the Security Team will publish CVEs
and notify the owning team that patches are ready to be applied.
Security team ACK for promoting markdown-it-py to main, after removing
the optional linkify-it runtime dependency is considered.
** Bug watch added: github.com/executablebooks/markdown-it-py/issues #175
https://github.com/executablebooks/markdown-it-py/issues/175
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-26302
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-26303
** Changed in: markdown-it-py (Ubuntu)
Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)
** Changed in: markdown-it-py (Ubuntu)
Status: New => In Progress
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to markdown-it-py in Ubuntu.
https://bugs.launchpad.net/bugs/2003568
Title:
[MIR] markdown-it-py
Status in markdown-it-py package in Ubuntu:
In Progress
Bug description:
[Availability]
The package markdown-it-py is already in Ubuntu universe.
The package markdown-it-py build for the architectures it is designed to work on.
It currently builds and works for architetcures: all
Link to package https://launchpad.net/ubuntu/+source/markdown-it-py
[Rationale]
- The package markdown-it-py is required in Ubuntu main as it will be used by netplan.io (it's a dependency of src:rich, which is a dependency of netplan.io), which is already in main.
- The package markdown-it-py will generally be useful for a large part of our user base
- The package markdown-it-py is a new runtime dependency of package netplan.io (through src:rich) that we already support
- The package python3-rich itself not yet depends on markdown-it-py but upstream just migrated to it and rich will depend on it when the maintainer update the package.
- The package markdown-it-py is required in Ubuntu main no later than
Feb 23 due to feature freeze.
[Security]
- Had 0 security issues in the past
- No CVEs/security issues in this software in the past
- no `suid` or `sgid` binaries
- no executables in `/sbin` and `/usr/sbin`
- Package does not install services, timers or recurring jobs
- Packages does not open privileged ports (ports < 1024)
- Packages does not contain extensions to security-sensitive software
[Quality assurance - function/usage]
- The package works well right after install
[Quality assurance - maintenance]
- The package is maintained well in Debian/Ubuntu and has not too many and long term critical bugs open
- Ubuntu https://bugs.launchpad.net/ubuntu/+source/markdown-it-py/+bug
- Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=markdown-it-py
[Quality assurance - testing]
- The package runs a test suite on build time, if it fails it makes the build fail, link to build log https://launchpadlibrarian.net/632298609/buildlog_ubuntu-lunar-amd64.markdown-it-py_2.1.0-4_BUILDING.txt.gz
- The package runs an autopkgtest, and is currently passing on all but
i386 architectures, link to test logs
https://autopkgtest.ubuntu.com/packages/markdown-it-py
- The package does have not failing autopkgtests right now
[Quality assurance - packaging]
- debian/watch is present and works
- debian/control defines a correct Maintainer field
- This package does not yield massive lintian Warnings, Errors
- Please link to a recent build log of the package https://launchpadlibrarian.net/632298609/buildlog_ubuntu-lunar-amd64.markdown-it-py_2.1.0-4_BUILDING.txt.gz
- This package does not rely on obsolete or about to be demoted packages.
- This package has no python2 or GTK2 dependencies
- The package will be installed by default, but does not ask debconf
questions higher than medium
- Packaging and build is easy, link to d/rules
https://git.launchpad.net/ubuntu/+source/markdown-it-
py/tree/debian/rules
[UI standards]
- Application is not end-user facing (does not need translation)
[Dependencies]
- There are further dependencies that are not yet in main, MIR for them is at:
python-typing-extensions: https://bugs.launchpad.net/ubuntu/+source/python-typing-extensions/+bug/2002821
mdurl: https://bugs.launchpad.net/ubuntu/+source/mdurl/+bug/2002818
[Standards compliance]
- This package correctly follows FHS and Debian Policy
[Maintenance/Owner]
- Team is not yet, but will subscribe to the package before promotion
- This does not use static builds
- This does not use vendored code
- This package is not rust based
- The package successfully built during the most recent test rebuild
[Background information]
The Package description explains the package well
Upstream Name is markdown-it-py
Link to upstream project https://github.com/executablebooks/markdown-it-py
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/markdown-it-py/+bug/2003568/+subscriptions
More information about the foundations-bugs
mailing list