Your message dated Mon, 22 Sep 2025 16:20:56 -0700
with message-id <2200755.OBFZWjSADL@soren-desktop>
and subject line ruby-commonmarker: CVE-2022-39209
has caused the Debian Bug report #1034888,
regarding ruby-commonmarker: CVE-2022-39209
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1034888: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034888
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: ruby-commonmarker
X-Debbugs-CC: [email protected]
Severity: important
Tags: security
Hi,
The following vulnerability was published for ruby-commonmarker.
CVE-2022-39209[0]:
| cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and
| rendering library and program in C. In versions prior to 0.29.0.gfm.6
| a polynomial time complexity issue in cmark-gfm's autolink extension
| may lead to unbounded resource exhaustion and subsequent denial of
| service. Users may verify the patch by running `python3 -c
| 'print("![l"* 100000 + "\n")' | ./cmark-gfm -e autolink`, which will
| resource exhaust on unpatched cmark-gfm but render correctly on
| patched cmark-gfm. This vulnerability has been patched in
| 0.29.0.gfm.6. Users are advised to upgrade. Users unable to upgrade
| should disable the use of the autolink extension.
https://github.com/github/cmark-gfm/security/advisories/GHSA-cgh3-p57x-9q7q
https://github.com/github/cmark-gfm/commit/cfcaa0068bf319974fdec283416fcee5035c2d70
(0.29.0.gfm.6)
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-39209
https://www.cve.org/CVERecord?id=CVE-2022-39209
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Closing as this has been fixed for a while.
--
Soren Stoutner
[email protected]
signature.asc
Description: This is a digitally signed message part.
--- End Message ---
_______________________________________________
Pkg-ruby-extras-maintainers mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers
