Hello,
To my knowledge, CVE-2022-39209 concerns versions of cmark-gfm before 0.29.0.gfm.3 and 0.28.3.gfm.21:
This vulnerability has been patched in the
following cmark-
| gfm versions 0.29.0.gfm.3 and 0.28.3.gfm.21.
https://security-tracker.debian.org/tracker/CVE-2022-24724
However, the version given is indeed 0.29.0.gfm.3 (Fixes #741: Update to cmark-gfm 0.29.0.gfm.3 to patch vulnerability) https://github.com/KDE/ghostwriter/tree/release /3rdparty/cmark-gfm.
I will replace the home page, as well as the github tag, weird that it no longer works since I repatriated the sources via `uscan` but it will be done. Actually no, not that weird since the upstream author released this 2.2.0 version first on his github and then made the switch to kde's.
I replaced the lintian message in debian/source/lintian-overrides precisely to avoid an overflow error, in short, it's been done since a yawn without ever causing any problems, for proof it's already the case in the ghostwriter version in backport (2.0.2-2~bpo11+1), that's what I was advised to do at the time.
Also, the homepage should be relaced with https://kde.github.io/ghostwriter and the watch file should scan GitHub's tags page instead of releases (does not work anymore).
I do not see the corresponding source for a lot of minified _javascript_ files in 3rdparty/MathJax/bin.
You try to override the lintian msg in debian/source/lintian-overrides but do not give a reason for it.