Bug#987799: marked as done (md4c: CVE-2021-30027)

To: Patrick Franz <patfra71@gmail.com>
Subject: Bug#987799: marked as done (md4c: CVE-2021-30027)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Mon, 03 May 2021 13:51:03 +0000
Message-id: <[🔎] handler.987799.D987799.162004972628058.ackdone@bugs.debian.org>
Reply-to: 987799@bugs.debian.org
References: <E1ldYwF-000EGB-F2@fasolo.debian.org> <161972905614.24129.3078096765989952666.reportbug@eldamar.lan>

Your message dated Mon, 03 May 2021 13:48:43 +0000
with message-id <E1ldYwF-000EGB-F2@fasolo.debian.org>
and subject line Bug#987799: fixed in md4c 0.4.7-2
has caused the Debian Bug report #987799,
regarding md4c: CVE-2021-30027
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
987799: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987799
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: md4c: CVE-2021-30027
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Thu, 29 Apr 2021 22:44:16 +0200
Message-id: <161972905614.24129.3078096765989952666.reportbug@eldamar.lan>

Source: md4c
Version: 0.4.7-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/mity/md4c/issues/155
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for md4c.

CVE-2021-30027[0]:
| md_analyze_line in md4c.c in md4c 0.4.7 allows attackers to trigger
| use of uninitialized memory, and cause a denial of service via a
| malformed Markdown document.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2021-30027
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30027
[1] https://github.com/mity/md4c/issues/155
[2] https://github.com/mity/md4c/commit/4fc808d8fe8d8904f8525bb4231d854f45e23a19

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

To: 987799-close@bugs.debian.org
Subject: Bug#987799: fixed in md4c 0.4.7-2
From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Date: Mon, 03 May 2021 13:48:43 +0000
Message-id: <E1ldYwF-000EGB-F2@fasolo.debian.org>
Reply-to: Patrick Franz <patfra71@gmail.com>

Source: md4c
Source-Version: 0.4.7-2
Done: Patrick Franz <patfra71@gmail.com>

We believe that the bug you reported is fixed in the latest version of
md4c, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 987799@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Patrick Franz <patfra71@gmail.com> (supplier of updated md4c package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 03 May 2021 15:21:36 +0200
Source: md4c
Architecture: source
Version: 0.4.7-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Changed-By: Patrick Franz <patfra71@gmail.com>
Closes: 987799
Changes:
 md4c (0.4.7-2) unstable; urgency=medium
 .
   * Cherry-pick commit to handle CVE-2021-30027 which can cause a denial
     of service (Closes: #987799).
Checksums-Sha1:
 f492dea0a2bf3be9c1b1a50131491286d0d9332e 2176 md4c_0.4.7-2.dsc
 6f04ac643c2af69d90e32f94e964caa7f536a817 10488 md4c_0.4.7-2.debian.tar.xz
 73a4ceaf7e94090f22d8b967236b4e05711adf22 7074 md4c_0.4.7-2_source.buildinfo
Checksums-Sha256:
 ec8a539fae9ffb5327df161c30f96c5bf69804279a8a232654ec7781ec809da3 2176 md4c_0.4.7-2.dsc
 fc72f81ee9aef4c6c1d93a3441dfd2d23bf3f6edc8aba51d62cf882388fa29ae 10488 md4c_0.4.7-2.debian.tar.xz
 e69a8eec81a42006133884fe13c3a490c9b69f3368f4c04f67358ca45df4549f 7074 md4c_0.4.7-2_source.buildinfo
Files:
 27336a729e594f166b3e18ee3f7436a9 2176 libs optional md4c_0.4.7-2.dsc
 b80754103920cc7d969da1ece68cbb78 10488 libs optional md4c_0.4.7-2.debian.tar.xz
 35b9e6a80c8c67e24a23a63b2ad06ac7 7074 libs optional md4c_0.4.7-2_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJHBAEBCgAxFiEEYodBXDR68cxZHu3Knp96YDB3/lYFAmCP+W8THHBhdGZyYTcx
QGdtYWlsLmNvbQAKCRCen3pgMHf+VsFCD/4zilkYopQ4WJaAgL/dG9IDOkRFRNci
Di2p8iYaNKKEbrFmk20qqyndHz6uVuUIcBth/wIdvl/tvgVYQC0ZxrDmi/m4BB4n
Y7eQtrKpHcIIqhi22Dcf8yaOAFvkzoG03DL7wkjbe7qPu90ZYG2bmQaEqupk7sqm
0FTycitIZ4arPRSk14NIierC9BbStw8xYr450BRSNpan3zxZZAyHwEN73T06bmJZ
Xpu2WYbRqC/jwwMf9hQFqbjtoNRyTuqAgiu5FrP79sz5NzSpT2evnWxLZ4u7Gtes
J9AMmHEwT4udiuBF0ECMrYEK0VDvckA0vyvAm/eVzNxYTf9NTX4A/+UPCPIabhiW
nvwUoCYJ5AcKU9xVT/UFOGj/Kltwtr7Jo2b5TP1MEsNyO7Rf1E/FrHce1BfKFkZk
iONmjUXfh9mA3En+pqMW2a4iHV7mvWAbXFs8UR4E3AT092C8Ge7kzYo/HW2Tcngd
YEFYkb8c/eol8Vjx741c+XU02iez7k3FZfjDm7+OtfHpDrG5r2XEJlshDLSEyCNo
kQhH5VB7RFsf3OLSJfozNGU7jAKk7Mg0GOos02csNSE122ms0QlJnfPVFCbIxijg
LN0klRUK/22nc8cctwXWta0Bsq9ZNRddxEpTzV89aW20ucxjYGC43QlnYXIvrkZD
MDKmeoslCAdU6A==
=wW5Z
-----END PGP SIGNATURE-----

--- End Message ---

Reply to:

Prev by Date: Processing of md4c_0.4.7-2_source.changes
Next by Date: md4c_0.4.7-2_source.changes ACCEPTED into unstable
Previous by thread: Processing of md4c_0.4.7-2_source.changes
Next by thread: md4c_0.4.7-2_source.changes ACCEPTED into unstable
Index(es):
- Date
- Thread