Hello,
To my knowledge, CVE-2022-39209 concerns versions of cmark-gfm before
0.29.0.gfm.3 and 0.28.3.gfm.21:
This vulnerability has been patched in the following cmark- | gfm
versions 0.29.0.gfm.3 and 0.28.3.gfm.21.
https://security-tracker.debian.org/tracker/CVE-2022-24724
However, the version given is indeed 0.29.0.gfm.3 (Fixes #741: Update to
cmark-gfm 0.29.0.gfm.3 to patch vulnerability)
https://github.com/KDE/ghostwriter/tree/release /3rdparty/cmark-gfm.
I will replace the home page, as well as the github tag, weird that it
no longer works since I repatriated the sources via `uscan` but it will
be done. Actually no, not that weird since the upstream author released
this 2.2.0 version first on his github and then made the switch to kde's.
I replaced the lintian message in debian/source/lintian-overrides
precisely to avoid an overflow error, in short, it's been done since a
yawn without ever causing any problems, for proof it's already the case
in the ghostwriter version in backport (2.0.2-2~bpo11+1), that's what I
was advised to do at the time.
Cordialy.
Le 07/10/2022 à 11:19, Bastian Germann a écrit :
Also, the homepage should be relaced with
https://kde.github.io/ghostwriter and the watch file should scan
GitHub's tags page instead of releases (does not work anymore).
I do not see the corresponding source for a lot of minified JavaScript
files in 3rdparty/MathJax/bin.
You try to override the lintian msg in debian/source/lintian-overrides
but do not give a reason for it.
