--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: patfra71@gmail.com
Please unblock package md4c
[ Reason ]
It fixes CVE-2021-30027 affecting bullseye.
See Security tracker at [1].
[ Impact ]
A malformed Markdown documenta malformed Markdown document can allow
attackers to trigger the use of uninitialised memory and thereby
cause a denial of service.
See Security tracker at [1].
[ Tests ]
The upstream issue tracker [2] provides an example document which
can trigger the bug.
The issue is marked as fixed upstream though no automated tests
cover the issue.
[ Risks ]
The package is a key package, i.e. a dependency of libqt5gui5 which
in turn is a dependency of a plethora of packages.
The changes are not too extensive though not trivial. I am not
familiar with the source code to determine whether the changes
cause any other risks.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
[ Other info ]
Security Tracker:
[1] https://security-tracker.debian.org/tracker/CVE-2021-30027
Upstream Issue Tracker:
[2] https://github.com/mity/md4c/issues/155
unblock md4c/0.4.7-2
diff -Nru md4c-0.4.7/debian/changelog md4c-0.4.7/debian/changelog
--- md4c-0.4.7/debian/changelog 2020-12-30 09:21:56.000000000 +0100
+++ md4c-0.4.7/debian/changelog 2021-05-03 15:21:36.000000000 +0200
@@ -1,3 +1,10 @@
+md4c (0.4.7-2) unstable; urgency=medium
+
+ * Cherry-pick commit to handle CVE-2021-30027 which can cause a denial
+ of service (Closes: #987799).
+
+ -- Patrick Franz <patfra71@gmail.com> Mon, 03 May 2021 15:21:36 +0200
+
md4c (0.4.7-1) unstable; urgency=medium
* New upstream release (0.4.7).
diff -Nru md4c-0.4.7/debian/patches/fix_CVE-2021-30027.patch md4c-0.4.7/debian/patches/fix_CVE-2021-30027.patch
--- md4c-0.4.7/debian/patches/fix_CVE-2021-30027.patch 1970-01-01 01:00:00.000000000 +0100
+++ md4c-0.4.7/debian/patches/fix_CVE-2021-30027.patch 2021-05-03 15:21:36.000000000 +0200
@@ -0,0 +1,87 @@
+Description: Fix CVE-2021-30027
+ md_analyze_line in md4c.c in md4c 0.4.7 allows attackers
+ to trigger use of uninitialized memory, and cause
+ a denial of service via a malformed Markdown document.
+Author: upstream
+Forwarded: not-needed
+
+---
+ src/md4c.c | 24 +++++++++++++++---------
+ 1 file changed, 15 insertions(+), 9 deletions(-)
+
+--- a/src/md4c.c
++++ b/src/md4c.c
+@@ -5864,7 +5864,7 @@ md_analyze_line(MD_CTX* ctx, OFF beg, OFF* p_end,
+
+ /* Check whether we are Setext underline. */
+ if(line->indent < ctx->code_indent_offset && pivot_line->type == MD_LINE_TEXT
+- && (CH(off) == _T('=') || CH(off) == _T('-'))
++ && off < ctx->size && ISANYOF2(off, _T('='), _T('-'))
+ && (n_parents == ctx->n_containers))
+ {
+ unsigned level;
+@@ -5877,7 +5877,10 @@ md_analyze_line(MD_CTX* ctx, OFF beg, OFF* p_end,
+ }
+
+ /* Check for thematic break line. */
+- if(line->indent < ctx->code_indent_offset && ISANYOF(off, _T("-_*")) && off >= hr_killer) {
++ if(line->indent < ctx->code_indent_offset
++ && off < ctx->size && off >= hr_killer
++ && ISANYOF(off, _T("-_*")))
++ {
+ if(md_is_hr_line(ctx, off, &off, &hr_killer)) {
+ line->type = MD_LINE_HR;
+ break;
+@@ -5941,7 +5944,7 @@ md_analyze_line(MD_CTX* ctx, OFF beg, OFF* p_end,
+ {
+ /* Noop. List mark followed by a blank line cannot interrupt a paragraph. */
+ } else if(pivot_line->type == MD_LINE_TEXT && n_parents == ctx->n_containers &&
+- (container.ch == _T('.') || container.ch == _T(')')) && container.start != 1)
++ ISANYOF2_(container.ch, _T('.'), _T(')')) && container.start != 1)
+ {
+ /* Noop. Ordered list cannot interrupt a paragraph unless the start index is 1. */
+ } else {
+@@ -5982,7 +5985,9 @@ md_analyze_line(MD_CTX* ctx, OFF beg, OFF* p_end,
+ }
+
+ /* Check for ATX header. */
+- if(line->indent < ctx->code_indent_offset && CH(off) == _T('#')) {
++ if(line->indent < ctx->code_indent_offset &&
++ off < ctx->size && CH(off) == _T('#'))
++ {
+ unsigned level;
+
+ if(md_is_atxheader_line(ctx, off, &line->beg, &off, &level)) {
+@@ -5993,7 +5998,7 @@ md_analyze_line(MD_CTX* ctx, OFF beg, OFF* p_end,
+ }
+
+ /* Check whether we are starting code fence. */
+- if(CH(off) == _T('`') || CH(off) == _T('~')) {
++ if(off < ctx->size && ISANYOF2(off, _T('`'), _T('~'))) {
+ if(md_is_opening_code_fence(ctx, off, &off)) {
+ line->type = MD_LINE_FENCEDCODE;
+ line->data = 1;
+@@ -6002,7 +6007,8 @@ md_analyze_line(MD_CTX* ctx, OFF beg, OFF* p_end,
+ }
+
+ /* Check for start of raw HTML block. */
+- if(CH(off) == _T('<') && !(ctx->parser.flags & MD_FLAG_NOHTMLBLOCKS))
++ if(off < ctx->size && CH(off) == _T('<')
++ && !(ctx->parser.flags & MD_FLAG_NOHTMLBLOCKS))
+ {
+ ctx->html_block_type = md_is_html_block_start_condition(ctx, off);
+
+@@ -6023,9 +6029,9 @@ md_analyze_line(MD_CTX* ctx, OFF beg, OFF* p_end,
+ }
+
+ /* Check for table underline. */
+- if((ctx->parser.flags & MD_FLAG_TABLES) && pivot_line->type == MD_LINE_TEXT &&
+- (CH(off) == _T('|') || CH(off) == _T('-') || CH(off) == _T(':')) &&
+- n_parents == ctx->n_containers)
++ if((ctx->parser.flags & MD_FLAG_TABLES) && pivot_line->type == MD_LINE_TEXT
++ && off < ctx->size && ISANYOF3(off, _T('|'), _T('-'), _T(':'))
++ && n_parents == ctx->n_containers)
+ {
+ unsigned col_count;
+
+--
diff -Nru md4c-0.4.7/debian/patches/series md4c-0.4.7/debian/patches/series
--- md4c-0.4.7/debian/patches/series 2020-09-30 17:22:41.000000000 +0200
+++ md4c-0.4.7/debian/patches/series 2021-05-03 15:14:31.000000000 +0200
@@ -1 +1,2 @@
disable_building_the_example.patch
+fix_CVE-2021-30027.patch
--- End Message ---