Your message dated Mon, 22 Sep 2025 16:19:24 -0700
with message-id <117241403.nniJfEyVGO@soren-desktop>
and subject line ruby-commonmarker: CVE-2023-22483 CVE-2023-22484
CVE-2023-22485 CVE-2023-22486
has caused the Debian Bug report #1033113,
regarding ruby-commonmarker: CVE-2023-22483 CVE-2023-22484 CVE-2023-22485
CVE-2023-22486
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1033113: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033113
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: ruby-commonmarker
X-Debbugs-CC: [email protected]
Severity: important
Tags: security
Hi,
The following vulnerabilities were published for ruby-commonmarker.
CVE-2023-22483[0]:
| cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and
| rendering library and program in C. Versions prior to 0.29.0.gfm.7 are
| subject to several polynomial time complexity issues in cmark-gfm that
| may lead to unbounded resource exhaustion and subsequent denial of
| service. Various commands, when piped to cmark-gfm with large values,
| cause the running time to increase quadratically. These
| vulnerabilities have been patched in version 0.29.0.gfm.7.
https://github.com/github/cmark-gfm/security/advisories/GHSA-29g3-96g3-jg6c
CVE-2023-22484[1]:
| cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and
| rendering library and program in C. Versions prior to 0.29.0.gfm.7 are
| subject to a polynomial time complexity issue in cmark-gfm that may
| lead to unbounded resource exhaustion and subsequent denial of
| service. This vulnerability has been patched in 0.29.0.gfm.7.
https://github.com/github/cmark-gfm/security/advisories/GHSA-24f7-9frr-5h2r
CVE-2023-22485[2]:
| cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and
| rendering library and program in C. In versions prior 0.29.0.gfm.7, a
| crafted markdown document can trigger an out-of-bounds read in the
| `validate_protocol` function. We believe this bug is harmless in
| practice, because the out-of-bounds read accesses `malloc` metadata
| without causing any visible damage.This vulnerability has been patched
| in 0.29.0.gfm.7.
https://github.com/github/cmark-gfm/security/advisories/GHSA-c944-cv5f-hpvr
CVE-2023-22486[3]:
| cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and
| rendering library and program in C. Versions prior to 0.29.0.gfm.7
| contain a polynomial time complexity issue in handle_close_bracket
| that may lead to unbounded resource exhaustion and subsequent denial
| of service. This vulnerability has been patched in 0.29.0.gfm.7.
https://github.com/github/cmark-gfm/security/advisories/GHSA-r572-jvj2-3m8p
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-22483
https://www.cve.org/CVERecord?id=CVE-2023-22483
[1] https://security-tracker.debian.org/tracker/CVE-2023-22484
https://www.cve.org/CVERecord?id=CVE-2023-22484
[2] https://security-tracker.debian.org/tracker/CVE-2023-22485
https://www.cve.org/CVERecord?id=CVE-2023-22485
[3] https://security-tracker.debian.org/tracker/CVE-2023-22486
https://www.cve.org/CVERecord?id=CVE-2023-22486
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Closing this bug as it has been fixed for a while.
--
Soren Stoutner
[email protected]
signature.asc
Description: This is a digitally signed message part.
--- End Message ---
_______________________________________________
Pkg-ruby-extras-maintainers mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers
