[ubuntu/oracular-security] cmark-gfm 0.29.0.gfm.6-6ubuntu0.24.10.1 (Accepted)

Mon Mar 3 22:35:53 UTC 2025

cmark-gfm (0.29.0.gfm.6-6ubuntu0.24.10.1) oracular-security; urgency=medium

  * SECURITY UPDATE: Denial of service
    - debian/patches/CVE-2023-22483-01.patch: Fix GHSL-2022-091: use
      growable array rather than appending to a singly-linked-list
      for better efficiency
    - debian/patches/CVE-2023-22483-02.patch: Fix quadratic behavior
      when parsing emphasis
    - debian/patches/CVE-2023-22483-03.patch: Add a flag to avoid
      quadratic loop in try_opening_table_header
    - debian/patches/CVE-2023-22483-04.patch: Refactor cell append code
      into a separate function
    - debian/patches/CVE-2023-22483-05.patch: Fix GHSL-2022-099: avoid
      quadratic behavior triggered by urls with underscores
    - debian/patches/CVE-2023-22483-06.patch: Avoid quadratic output
      growth with reference links
    - debian/patches/CVE-2023-22483-07.patch: Pre-compute number of
      opening/closing parens to avoid quadratic behavior
    - debian/patches/CVE-2023-22483-08.patch: Stop searching at the
      previous offset to prevent quadratic behavior
    - debian/patches/CVE-2023-22483-09.patch: Stop scanning at '<'
      character to avoid quadratic loop
    - debian/patches/CVE-2023-22483-10.patch: Fix quadratic behavior
      with smart quotes
    - debian/patches/CVE-2023-22483-11.patch: Always remove delimiters
      to avoid quadratic behavior
    - debian/patches/CVE-2023-22483-12.patch: Fix memory leak in
      row_from_string
    - debian/patches/CVE-2023-22483-13.patch: Make sure that the chunk
      metadata is always initialized correctly
    - debian/patches/CVE-2023-22483-14.patch: Add registration mechanism
      for custom node flags
    - debian/patches/CVE-2023-22483-15.patch: Update src/node.c
    - debian/patches/CVE-2023-22483-16.patch: Fix parsing of emphasis
      before links
    - debian/patches/CVE-2023-22483-17.patch: Fix quadratic behavior
      when parsing inlines
    - debian/patches/CVE-2023-22484-1.patch: Fix quadratic behavior with
      inline HTML
    - debian/patches/CVE-2023-22484-2.patch: Update HTML comment scanner
    - debian/patches/CVE-2023-22484-3.patch: Fixed HTML comment scanning
    - debian/patches/CVE-2023-22484-4.patch: Fix quadratic parsing issue
      with repeated `<!--`
    - debian/patches/CVE-2023-22484-5.patch: Add pathological test for
      repeated '<!--'
    - debian/patches/CVE-2023-22484-6.patch: Fix indentation
    - debian/patches/CVE-2023-22486-1.patch: Fix quadratic complexity bug
    - debian/patches/CVE-2023-22486-2.patch: Add new pathological test for
      pattern "![[]()"*n
    - debian/patches/CVE-2023-26485-1.patch: Ignore nested STRONGs during
      rendering
    - debian/patches/CVE-2023-26485-2.patch: Update expected output
    - debian/patches/CVE-2023-26485-3.patch: Add MAX_INDENT for xml
    - debian/patches/CVE-2023-26485-4.patch: Fix quadratic performance issue
      in list numbering
    - debian/patches/CVE-2023-26485-5.patch: Add ancestor_extension field
    - debian/patches/CVE-2023-26485-6.patch: Remove dead code
    - CVE-2023-22483
    - CVE-2023-22484
    - CVE-2023-22486
    - CVE-2023-26485

Date: 2025-03-02 23:51:16.706057+00:00
Changed-By: Bruce Cable <bruce.cable at canonical.com>
https://launchpad.net/ubuntu/+source/cmark-gfm/0.29.0.gfm.6-6ubuntu0.24.10.1
-------------- next part --------------
Sorry, changesfile not available.