[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1034324: marked as done (unblock: markdown-it-py/2.1.0-5)

Your message dated Thu, 13 Apr 2023 07:19:17 +0000
with message-id <E1pmrEj-00FGHH-Hb@respighi.debian.org>
and subject line unblock markdown-it-py
has caused the Debian Bug report #1034324,
regarding unblock: markdown-it-py/2.1.0-5
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1034324: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034324
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: markdown-it-py@packages.debian.org, eamanu@yaerobi.com, santiago@debian.org
Control: affects -1 + src:markdown-it-py

Please unblock package markdown-it-py

[ Reason ]
This release apply two patch from upstream to fix two security issues:
CVE-2023-26302 and CVE-2023-26303. 

[ Impact ]
The security bugs will be present in Bookworm if the unblock isn't
granted:
 * CVE-2023-26302: Denial of service could be caused to the command
 line interface of markdown-it-py, before v2.2.0, if an attacker was
 allowed to use invalid UTF-8 characters as input.
 * CVE-2023-26303: Denial of service could be caused to markdown-it-py,
 before v2.2.0, if an attacker was allowed to force null assertions with
 specially crafted input.

[ Tests ]
As I didn't found an exploit to test it, I reproduce the tests provided
by the upstream and they (the patches) worked ok. 

[ Risks ]
This is a small change in code and cover in upstream tests, and it they
are part a new upstream release, so the risk is low.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [ ] I reviewed all changes and I approve them
   - Santiago Ruano Rincón sponsored this package.
  [x] attach debdiff against the package in testing

[ Other info ]
(Anything else the release team should know.)

unblock markdown-it-py/2.1.0-5

diff -Nru markdown-it-py-2.1.0/debian/changelog markdown-it-py-2.1.0/debian/changelog
--- markdown-it-py-2.1.0/debian/changelog	2022-10-01 11:49:00.000000000 -0300
+++ markdown-it-py-2.1.0/debian/changelog	2023-03-31 07:50:42.000000000 -0300
@@ -1,3 +1,13 @@
+markdown-it-py (2.1.0-5) unstable; urgency=high
+
+  * d/paches: Add patches from upstream to fix CVE-2023-26302 and
+    CVE-2023-26303 (Closes: #1031764).
+    - The patches added are:
+      0001-fix-unnecessary-asserts-leading-to-crashes.patch and
+      0002-fix-dos-casued-by-invalid-utf-8-char-as-input.patch.
+
+ -- Emmanuel Arias <eamanu@yaerobi.com>  Fri, 31 Mar 2023 07:50:42 -0300
+
 markdown-it-py (2.1.0-4) unstable; urgency=medium

   * Team upload.
diff -Nru markdown-it-py-2.1.0/debian/patches/0001-fix-unnecessary-asserts-leading-to-crashes.patch markdown-it-py-2.1.0/debian/patches/0001-fix-unnecessary-asserts-leading-to-crashes.patch
--- markdown-it-py-2.1.0/debian/patches/0001-fix-unnecessary-asserts-leading-to-crashes.patch	1969-12-31 21:00:00.000000000 -0300
+++ markdown-it-py-2.1.0/debian/patches/0001-fix-unnecessary-asserts-leading-to-crashes.patch	2023-03-31 07:50:42.000000000 -0300
@@ -0,0 +1,116 @@
+From ae03c6107dfa18e648f6fdd1280f5b89092d5d49 Mon Sep 17 00:00:00 2001
+From: Chris Sewell <chrisj_sewell@hotmail.com>
+Date: Wed, 22 Feb 2023 05:56:39 +0100
+Subject: [PATCH] =?UTF-8?q?=F0=9F=90=9B=20FIX:=20CVE-2023-26303=20(#246)?=
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Bug-Debian: https://bugs.debian.org/1031764
+
+Fix unnecessary asserts, leading to crashes
+---
+ markdown_it/renderer.py                 | 20 ++++++++------------
+ markdown_it/rules_core/replacements.py  |  3 ++-
+ markdown_it/rules_core/smartquotes.py   |  4 ++--
+ tests/test_port/fixtures/issue-fixes.md |  9 +++++++++
+ tests/test_port/test_fixtures.py        |  1 +
+ 5 files changed, 22 insertions(+), 15 deletions(-)
+
+Index: markdown-it-py-2.1.0/markdown_it/renderer.py
+===================================================================
+--- markdown-it-py-2.1.0.orig/markdown_it/renderer.py	2023-03-31 07:50:21.639213371 -0300
++++ markdown-it-py-2.1.0/markdown_it/renderer.py	2023-03-31 07:50:21.635213318 -0300
+@@ -84,8 +84,8 @@
+         for i, token in enumerate(tokens):
+
+             if token.type == "inline":
+-                assert token.children is not None
+-                result += self.renderInline(token.children, options, env)
++                if token.children:
++                    result += self.renderInline(token.children, options, env)
+             elif token.type in self.rules:
+                 result += self.rules[token.type](tokens, i, options, env)
+             else:
+@@ -207,8 +207,8 @@
+             if token.type == "text":
+                 result += token.content
+             elif token.type == "image":
+-                assert token.children is not None
+-                result += self.renderInlineAsText(token.children, options, env)
++                if token.children:
++                    result += self.renderInlineAsText(token.children, options, env)
+             elif token.type == "softbreak":
+                 result += "\n"
+
+@@ -306,14 +306,10 @@
+
+         # "alt" attr MUST be set, even if empty. Because it's mandatory and
+         # should be placed on proper position for tests.
+-
+-        assert (
+-            token.attrs and "alt" in token.attrs
+-        ), '"image" token\'s attrs must contain `alt`'
+-
+-        # Replace content with actual value
+-
+-        token.attrSet("alt", self.renderInlineAsText(token.children, options, env))
++        if token.children:
++            token.attrSet("alt", self.renderInlineAsText(token.children, options, env))
++        else:
++            token.attrSet("alt", "")
+
+         return self.renderToken(tokens, idx, options, env)
+
+Index: markdown-it-py-2.1.0/markdown_it/rules_core/replacements.py
+===================================================================
+--- markdown-it-py-2.1.0.orig/markdown_it/rules_core/replacements.py	2023-03-31 07:50:21.639213371 -0300
++++ markdown-it-py-2.1.0/markdown_it/rules_core/replacements.py	2023-03-31 07:50:21.635213318 -0300
+@@ -116,7 +116,8 @@
+     for token in state.tokens:
+         if token.type != "inline":
+             continue
+-        assert token.children is not None
++        if token.children is None:
++            continue
+
+         if SCOPED_ABBR_RE.search(token.content):
+             replace_scoped(token.children)
+Index: markdown-it-py-2.1.0/markdown_it/rules_core/smartquotes.py
+===================================================================
+--- markdown-it-py-2.1.0.orig/markdown_it/rules_core/smartquotes.py	2023-03-31 07:50:21.639213371 -0300
++++ markdown-it-py-2.1.0/markdown_it/rules_core/smartquotes.py	2023-03-31 07:50:21.635213318 -0300
+@@ -198,5 +198,5 @@
+
+         if token.type != "inline" or not QUOTE_RE.search(token.content):
+             continue
+-        assert token.children is not None
+-        process_inlines(token.children, state)
++        if token.children is not None:
++            process_inlines(token.children, state)
+Index: markdown-it-py-2.1.0/tests/test_port/fixtures/issue-fixes.md
+===================================================================
+--- markdown-it-py-2.1.0.orig/tests/test_port/fixtures/issue-fixes.md	2023-03-31 07:50:21.639213371 -0300
++++ markdown-it-py-2.1.0/tests/test_port/fixtures/issue-fixes.md	2023-03-31 07:50:21.635213318 -0300
+@@ -36,3 +36,12 @@
+ .
+ <p>💬</p>
+ .
++
++Fix CVE-2023-26303
++.
++![![]()
++]([)
++.
++<p><img src="%5B" alt="
++" /></p>
++.
+Index: markdown-it-py-2.1.0/tests/test_port/test_fixtures.py
+===================================================================
+--- markdown-it-py-2.1.0.orig/tests/test_port/test_fixtures.py	2023-03-31 07:50:21.639213371 -0300
++++ markdown-it-py-2.1.0/tests/test_port/test_fixtures.py	2023-03-31 07:50:21.635213318 -0300
+@@ -111,4 +111,5 @@
+ def test_issue_fixes(line, title, input, expected):
+     md = MarkdownIt()
+     text = md.render(input)
++    print(text)
+     assert text.rstrip() == expected.rstrip()
diff -Nru markdown-it-py-2.1.0/debian/patches/0002-fix-dos-casued-by-invalid-utf-8-char-as-input.patch markdown-it-py-2.1.0/debian/patches/0002-fix-dos-casued-by-invalid-utf-8-char-as-input.patch
--- markdown-it-py-2.1.0/debian/patches/0002-fix-dos-casued-by-invalid-utf-8-char-as-input.patch	1969-12-31 21:00:00.000000000 -0300
+++ markdown-it-py-2.1.0/debian/patches/0002-fix-dos-casued-by-invalid-utf-8-char-as-input.patch	2023-03-31 07:50:42.000000000 -0300
@@ -0,0 +1,47 @@
+From e711074fe79be7ff257a41d15969b79edfaa7c8e Mon Sep 17 00:00:00 2001
+From: Chris Sewell <chrisj_sewell@hotmail.com>
+Date: Wed, 22 Feb 2023 06:19:13 +0100
+Subject: [PATCH] =?UTF-8?q?=F0=9F=90=9B=20FIX:=20CLI=20crash=20on=20non-ut?=
+ =?UTF-8?q?f8=20character?=
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Bug-Debian: https://bugs.debian.org/1031764
+
+---
+ markdown_it/cli/parse.py | 2 +-
+ tests/test_cli.py        | 7 +++++++
+ 2 files changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/markdown_it/cli/parse.py b/markdown_it/cli/parse.py
+index 2d74f55a..890d5de3 100644
+--- a/markdown_it/cli/parse.py
++++ b/markdown_it/cli/parse.py
+@@ -35,7 +35,7 @@ def convert_file(filename: str) -> None:
+     Parse a Markdown file and dump the output to stdout.
+     """
+     try:
+-        with open(filename, "r") as fin:
++        with open(filename, "r", encoding="utf8", errors="ignore") as fin:
+             rendered = MarkdownIt().render(fin.read())
+             print(rendered, end="")
+     except OSError:
+diff --git a/tests/test_cli.py b/tests/test_cli.py
+index 57d6b938..c38e24fd 100644
+--- a/tests/test_cli.py
++++ b/tests/test_cli.py
+@@ -20,6 +20,13 @@ def test_parse_fail():
+     assert exc_info.value.code == 1
+
+
++def test_non_utf8():
++    with tempfile.TemporaryDirectory() as tempdir:
++        path = pathlib.Path(tempdir).joinpath("test.md")
++        path.write_bytes(b"\x80abc")
++        assert parse.main([str(path)]) == 0
++
++
+ def test_print_heading():
+     with patch("builtins.print") as patched:
+         parse.print_heading()
+
diff -Nru markdown-it-py-2.1.0/debian/patches/series markdown-it-py-2.1.0/debian/patches/series
--- markdown-it-py-2.1.0/debian/patches/series	1969-12-31 21:00:00.000000000 -0300
+++ markdown-it-py-2.1.0/debian/patches/series	2023-03-31 07:50:42.000000000 -0300
@@ -0,0 +1,2 @@
+0001-fix-unnecessary-asserts-leading-to-crashes.patch
+0002-fix-dos-casued-by-invalid-utf-8-char-as-input.patch

--- End Message ---
--- Begin Message --- 
Unblocked.

--- End Message ---
Reply to: