From e924fa27b9b060b0b78d00d8c7a9b5f40e7d968e Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Mon, 29 Apr 2024 06:24:24 +0200 Subject: Adding debian version 2.1.0-5. Signed-off-by: Daniel Baumann --- debian/TODO | 3 + debian/changelog | 73 +++++++++++++ debian/control | 38 +++++++ debian/copyright | 38 +++++++ debian/gbp.conf | 3 + ...ix-unnecessary-asserts-leading-to-crashes.patch | 116 +++++++++++++++++++++ ...dos-casued-by-invalid-utf-8-char-as-input.patch | 47 +++++++++ debian/patches/series | 2 + debian/rules | 23 ++++ debian/salsa-ci.yml | 5 + debian/source/format | 1 + debian/source/options | 1 + debian/tests/control | 11 ++ debian/tests/unittests | 20 ++++ debian/upstream/metadata | 4 + debian/watch | 3 + 16 files changed, 388 insertions(+) create mode 100644 debian/TODO create mode 100644 debian/changelog create mode 100644 debian/control create mode 100644 debian/copyright create mode 100644 debian/gbp.conf create mode 100644 debian/patches/0001-fix-unnecessary-asserts-leading-to-crashes.patch create mode 100644 debian/patches/0002-fix-dos-casued-by-invalid-utf-8-char-as-input.patch create mode 100644 debian/patches/series create mode 100755 debian/rules create mode 100644 debian/salsa-ci.yml create mode 100644 debian/source/format create mode 100644 debian/source/options create mode 100644 debian/tests/control create mode 100644 debian/tests/unittests create mode 100644 debian/upstream/metadata create mode 100644 debian/watch diff --git a/debian/TODO b/debian/TODO new file mode 100644 index 0000000..b83310b --- /dev/null +++ b/debian/TODO @@ -0,0 +1,3 @@ +* Package myst-nb to build the python-markdown-it-py-doc package. +* Package linkify and activate the tests that depends on linkify + (see #997970). diff --git a/debian/changelog b/debian/changelog new file mode 100644 index 0000000..0442b28 --- /dev/null +++ b/debian/changelog @@ -0,0 +1,73 @@ +markdown-it-py (2.1.0-5) unstable; urgency=high + + * d/paches: Add patches from upstream to fix CVE-2023-26302 and + CVE-2023-26303 (Closes: #1031764). + - The patches added are: + 0001-fix-unnecessary-asserts-leading-to-crashes.patch and + 0002-fix-dos-casued-by-invalid-utf-8-char-as-input.patch. + + -- Emmanuel Arias Fri, 31 Mar 2023 07:50:42 -0300 + +markdown-it-py (2.1.0-4) unstable; urgency=medium + + * Team upload. + * Source-only upload to allow testing migration. + + [ Debian Janitor ] + * Trim trailing whitespace. + + -- Boyuan Yang Sat, 01 Oct 2022 10:49:00 -0400 + +markdown-it-py (2.1.0-3) unstable; urgency=medium + + * d/control: Version flit in build depends to be according to + pyproject.toml (Closes: #1013204). + - Patch provided by David Paul . + + -- Emmanuel Arias Thu, 21 Jul 2022 11:38:34 -0300 + +markdown-it-py (2.1.0-2) unstable; urgency=medium + + * source-only upload + + -- Emmanuel Arias Sun, 22 May 2022 11:05:59 -0300 + +markdown-it-py (2.1.0-1) unstable; urgency=medium + + * New upstream version. + * d/control: Build with pybuild's pyproject plugin. Add + pybuild-plugin-pyproject as Build Depends. + - Add flit as Build Dependency. Remove setuptools, it's not longer used. + * d/copyright: Update Copyright year for debian/* files. + * d/salsa-ci.yml: Re-introduce the salsa-ci file. + * d/control: Bump Standards-Version to 4.6.1 (from 4.6.0.1; no changes + needed). + * d/control: Remove trivial autopkgtest-pkg-python. + + -- Emmanuel Arias Thu, 19 May 2022 11:22:59 -0300 + +markdown-it-py (2.0.1-1) unstable; urgency=medium + + * New upstream version. + * d/control: Add python3-mdurl as dependency. + * d/copyright: Add copyright entry for markdown_it/_punycode.py file. + * d/control: Remove python3-pytest-cov package as build deps. + - It's not used during build. + * d/tests/control: Stop using @builddeps@. Add python3-all, + python3-commonmark, python3-markdown, python3-mistletoe, + python3-mistune, python3-psutil, python3-pytest, + python3-pytest-benchmark, python3-pytest-regressions as Depends. + + -- Emmanuel Arias Sat, 26 Mar 2022 13:55:59 -0300 + +markdown-it-py (1.1.0-2) unstable; urgency=medium + + * source-only upload + + -- Sandro Tosi Sun, 02 Jan 2022 12:30:49 -0500 + +markdown-it-py (1.1.0-1) unstable; urgency=low + + * Initial release (Closes: 997044). + + -- Emmanuel Arias Mon, 25 Oct 2021 16:07:05 +0000 diff --git a/debian/control b/debian/control new file mode 100644 index 0000000..6e9be6f --- /dev/null +++ b/debian/control @@ -0,0 +1,38 @@ +Source: markdown-it-py +Section: python +Priority: optional +Maintainer: Debian Python Team +Uploaders: Emmanuel Arias , +Build-Depends: debhelper-compat (= 13), + flit (<< 4), + flit (>= 3.2), + pybuild-plugin-pyproject, + python3-all, + python3-attr, + python3-commonmark , + python3-markdown , + python3-mdurl, + python3-mistletoe , + python3-mistune , + python3-psutil , + python3-pytest , + python3-pytest-benchmark , + python3-pytest-regressions , + python3-sphinx, +Standards-Version: 4.6.1 +Rules-Requires-Root: no +Homepage: https://github.com/executablebooks/markdown-it-py +Vcs-Git: https://salsa.debian.org/python-team/packages/markdown-it-py.git +Vcs-Browser: https://salsa.debian.org/python-team/packages/markdown-it-py + +Package: python3-markdown-it +Architecture: all +Depends: ${misc:Depends}, + ${python3:Depends}, +Recommends: ${python3:Recommends}, +Suggests: ${python3:Suggests}, +Description: Python port of markdown-it and some its associated plugins + High speed Python markdown parser based in markdown-it. markdown-it-py + follows the CommonMark spec for baseline parsing. Also, new syntax + rules can be added and even replace existing ones. New syntax extensions + can be added to extend the parser. diff --git a/debian/copyright b/debian/copyright new file mode 100644 index 0000000..5203b00 --- /dev/null +++ b/debian/copyright @@ -0,0 +1,38 @@ +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Upstream-Name: markdown-it-py +Upstream-Contact: Chris Sewell +Source: https://github.com/executablebooks/markdown-it-py + +Files: * +Copyright: 2020 Chris Sewell + 2020 ExecutableBookProject + 2014 Vitaly Puzrin, Alex Kocharin +License: expat + +Files: markdown_it/_punycode.py +Copyright: 2014 Mathias Bynens + 2021 Taneli Hukkinen +License: expat + +Files: debian/* +Copyright: 2021-2022 Emmanuel Arias +License: expat + +License: expat + Permission is hereby granted, free of charge, to any person obtaining + a copy of this software and associated documentation files (the "Software"), + to deal in the Software without restriction, including without limitation + the rights to use, copy, modify, merge, publish, distribute, sublicense, + and/or sell copies of the Software, and to permit persons to whom the + Software is furnished to do so, subject to the following conditions: + . + The above copyright notice and this permission notice shall be included + in all copies or substantial portions of the Software. + . + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, + EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES + OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. + IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, + DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, + TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE + OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. diff --git a/debian/gbp.conf b/debian/gbp.conf new file mode 100644 index 0000000..47fe321 --- /dev/null +++ b/debian/gbp.conf @@ -0,0 +1,3 @@ +[DEFAULT] +pristine-tar = True +debian-branch = debian/master diff --git a/debian/patches/0001-fix-unnecessary-asserts-leading-to-crashes.patch b/debian/patches/0001-fix-unnecessary-asserts-leading-to-crashes.patch new file mode 100644 index 0000000..ded7e70 --- /dev/null +++ b/debian/patches/0001-fix-unnecessary-asserts-leading-to-crashes.patch @@ -0,0 +1,116 @@ +From ae03c6107dfa18e648f6fdd1280f5b89092d5d49 Mon Sep 17 00:00:00 2001 +From: Chris Sewell +Date: Wed, 22 Feb 2023 05:56:39 +0100 +Subject: [PATCH] =?UTF-8?q?=F0=9F=90=9B=20FIX:=20CVE-2023-26303=20(#246)?= +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Bug-Debian: https://bugs.debian.org/1031764 + +Fix unnecessary asserts, leading to crashes +--- + markdown_it/renderer.py | 20 ++++++++------------ + markdown_it/rules_core/replacements.py | 3 ++- + markdown_it/rules_core/smartquotes.py | 4 ++-- + tests/test_port/fixtures/issue-fixes.md | 9 +++++++++ + tests/test_port/test_fixtures.py | 1 + + 5 files changed, 22 insertions(+), 15 deletions(-) + +Index: markdown-it-py-2.1.0/markdown_it/renderer.py +=================================================================== +--- markdown-it-py-2.1.0.orig/markdown_it/renderer.py 2023-03-31 07:50:21.639213371 -0300 ++++ markdown-it-py-2.1.0/markdown_it/renderer.py 2023-03-31 07:50:21.635213318 -0300 +@@ -84,8 +84,8 @@ + for i, token in enumerate(tokens): + + if token.type == "inline": +- assert token.children is not None +- result += self.renderInline(token.children, options, env) ++ if token.children: ++ result += self.renderInline(token.children, options, env) + elif token.type in self.rules: + result += self.rules[token.type](tokens, i, options, env) + else: +@@ -207,8 +207,8 @@ + if token.type == "text": + result += token.content + elif token.type == "image": +- assert token.children is not None +- result += self.renderInlineAsText(token.children, options, env) ++ if token.children: ++ result += self.renderInlineAsText(token.children, options, env) + elif token.type == "softbreak": + result += "\n" + +@@ -306,14 +306,10 @@ + + # "alt" attr MUST be set, even if empty. Because it's mandatory and + # should be placed on proper position for tests. +- +- assert ( +- token.attrs and "alt" in token.attrs +- ), '"image" token\'s attrs must contain `alt`' +- +- # Replace content with actual value +- +- token.attrSet("alt", self.renderInlineAsText(token.children, options, env)) ++ if token.children: ++ token.attrSet("alt", self.renderInlineAsText(token.children, options, env)) ++ else: ++ token.attrSet("alt", "") + + return self.renderToken(tokens, idx, options, env) + +Index: markdown-it-py-2.1.0/markdown_it/rules_core/replacements.py +=================================================================== +--- markdown-it-py-2.1.0.orig/markdown_it/rules_core/replacements.py 2023-03-31 07:50:21.639213371 -0300 ++++ markdown-it-py-2.1.0/markdown_it/rules_core/replacements.py 2023-03-31 07:50:21.635213318 -0300 +@@ -116,7 +116,8 @@ + for token in state.tokens: + if token.type != "inline": + continue +- assert token.children is not None ++ if token.children is None: ++ continue + + if SCOPED_ABBR_RE.search(token.content): + replace_scoped(token.children) +Index: markdown-it-py-2.1.0/markdown_it/rules_core/smartquotes.py +=================================================================== +--- markdown-it-py-2.1.0.orig/markdown_it/rules_core/smartquotes.py 2023-03-31 07:50:21.639213371 -0300 ++++ markdown-it-py-2.1.0/markdown_it/rules_core/smartquotes.py 2023-03-31 07:50:21.635213318 -0300 +@@ -198,5 +198,5 @@ + + if token.type != "inline" or not QUOTE_RE.search(token.content): + continue +- assert token.children is not None +- process_inlines(token.children, state) ++ if token.children is not None: ++ process_inlines(token.children, state) +Index: markdown-it-py-2.1.0/tests/test_port/fixtures/issue-fixes.md +=================================================================== +--- markdown-it-py-2.1.0.orig/tests/test_port/fixtures/issue-fixes.md 2023-03-31 07:50:21.639213371 -0300 ++++ markdown-it-py-2.1.0/tests/test_port/fixtures/issue-fixes.md 2023-03-31 07:50:21.635213318 -0300 +@@ -36,3 +36,12 @@ + . +

💬

+ . ++ ++Fix CVE-2023-26303 ++. ++![![]() ++]([) ++. ++

++

++. +Index: markdown-it-py-2.1.0/tests/test_port/test_fixtures.py +=================================================================== +--- markdown-it-py-2.1.0.orig/tests/test_port/test_fixtures.py 2023-03-31 07:50:21.639213371 -0300 ++++ markdown-it-py-2.1.0/tests/test_port/test_fixtures.py 2023-03-31 07:50:21.635213318 -0300 +@@ -111,4 +111,5 @@ + def test_issue_fixes(line, title, input, expected): + md = MarkdownIt() + text = md.render(input) ++ print(text) + assert text.rstrip() == expected.rstrip() diff --git a/debian/patches/0002-fix-dos-casued-by-invalid-utf-8-char-as-input.patch b/debian/patches/0002-fix-dos-casued-by-invalid-utf-8-char-as-input.patch new file mode 100644 index 0000000..f244847 --- /dev/null +++ b/debian/patches/0002-fix-dos-casued-by-invalid-utf-8-char-as-input.patch @@ -0,0 +1,47 @@ +From e711074fe79be7ff257a41d15969b79edfaa7c8e Mon Sep 17 00:00:00 2001 +From: Chris Sewell +Date: Wed, 22 Feb 2023 06:19:13 +0100 +Subject: [PATCH] =?UTF-8?q?=F0=9F=90=9B=20FIX:=20CLI=20crash=20on=20non-ut?= + =?UTF-8?q?f8=20character?= +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Bug-Debian: https://bugs.debian.org/1031764 + +--- + markdown_it/cli/parse.py | 2 +- + tests/test_cli.py | 7 +++++++ + 2 files changed, 8 insertions(+), 1 deletion(-) + +diff --git a/markdown_it/cli/parse.py b/markdown_it/cli/parse.py +index 2d74f55a..890d5de3 100644 +--- a/markdown_it/cli/parse.py ++++ b/markdown_it/cli/parse.py +@@ -35,7 +35,7 @@ def convert_file(filename: str) -> None: + Parse a Markdown file and dump the output to stdout. + """ + try: +- with open(filename, "r") as fin: ++ with open(filename, "r", encoding="utf8", errors="ignore") as fin: + rendered = MarkdownIt().render(fin.read()) + print(rendered, end="") + except OSError: +diff --git a/tests/test_cli.py b/tests/test_cli.py +index 57d6b938..c38e24fd 100644 +--- a/tests/test_cli.py ++++ b/tests/test_cli.py +@@ -20,6 +20,13 @@ def test_parse_fail(): + assert exc_info.value.code == 1 + + ++def test_non_utf8(): ++ with tempfile.TemporaryDirectory() as tempdir: ++ path = pathlib.Path(tempdir).joinpath("test.md") ++ path.write_bytes(b"\x80abc") ++ assert parse.main([str(path)]) == 0 ++ ++ + def test_print_heading(): + with patch("builtins.print") as patched: + parse.print_heading() + diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..70e99b6 --- /dev/null +++ b/debian/patches/series @@ -0,0 +1,2 @@ +0001-fix-unnecessary-asserts-leading-to-crashes.patch +0002-fix-dos-casued-by-invalid-utf-8-char-as-input.patch diff --git a/debian/rules b/debian/rules new file mode 100755 index 0000000..4e9559e --- /dev/null +++ b/debian/rules @@ -0,0 +1,23 @@ +#! /usr/bin/make -f + + +# ignore linkify tests until linkify is package in Debian #997970 +export PYBUILD_TEST_ARGS=--ignore tests/test_linkify.py \ + --ignore tests/test_port/test_fixtures.py \ + -k 'not test_linkify' +export PYBUILD_NAME=markdown-it-py + + +PYTHON3S:=$(shell py3versions -vr) + + +%: + dh $@ --with python3 --buildsystem=pybuild + +override_dh_auto_test: +ifeq (,$(filter nocheck, $(DEB_BUILD_OPTIONS))) + dh_auto_test + set -e ; for pyvers in $(PYTHON3S); do \ + PYTHONPATH=. python$$pyvers -m pytest benchmarking/bench_core.py benchmarking/bench_packages.py ;\ + done +endif diff --git a/debian/salsa-ci.yml b/debian/salsa-ci.yml new file mode 100644 index 0000000..5e6658d --- /dev/null +++ b/debian/salsa-ci.yml @@ -0,0 +1,5 @@ +--- +include: + - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml + - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml + diff --git a/debian/source/format b/debian/source/format new file mode 100644 index 0000000..163aaf8 --- /dev/null +++ b/debian/source/format @@ -0,0 +1 @@ +3.0 (quilt) diff --git a/debian/source/options b/debian/source/options new file mode 100644 index 0000000..d81db3f --- /dev/null +++ b/debian/source/options @@ -0,0 +1 @@ +extend-diff-ignore="^[^/]+.egg-info/" diff --git a/debian/tests/control b/debian/tests/control new file mode 100644 index 0000000..610303a --- /dev/null +++ b/debian/tests/control @@ -0,0 +1,11 @@ +Tests: unittests +Depends: python3-all, + python3-commonmark, + python3-markdown, + python3-mistletoe, + python3-mistune, + python3-psutil, + python3-pytest, + python3-pytest-benchmark, + python3-pytest-regressions, + @, diff --git a/debian/tests/unittests b/debian/tests/unittests new file mode 100644 index 0000000..bd75661 --- /dev/null +++ b/debian/tests/unittests @@ -0,0 +1,20 @@ +#!/bin/sh +set -efu + +pys="$(py3versions -s 2> /dev/null)" + + +cp -a tests "$AUTOPKGTEST_TMP" +cp -a benchmarking "$AUTOPKGTEST_TMP" + +cd "$AUTOPKGTEST_TMP" + + +for py in $pys; do + echo "=== $py ===" + # ignore linkify tests until linkify is package in Debian #997970 + $py -m pytest --ignore tests/test_linkify.py \ + --ignore tests/test_port/test_fixtures.py \ + -k 'not test_linkify' 2>&1 + $py -m pytest benchmarking/bench_core.py benchmarking/bench_packages.py 2>&1 +done diff --git a/debian/upstream/metadata b/debian/upstream/metadata new file mode 100644 index 0000000..7c34832 --- /dev/null +++ b/debian/upstream/metadata @@ -0,0 +1,4 @@ +Bug-Database: https://github.com/executablebooks/markdown-it-py/issues +Bug-Submit: https://github.com/executablebooks/markdown-it-py/issues/new +Repository: https://github.com/executablebooks/markdown-it-py.git +Repository-Browse: https://github.com/executablebooks/markdown-it-py diff --git a/debian/watch b/debian/watch new file mode 100644 index 0000000..7c76c12 --- /dev/null +++ b/debian/watch @@ -0,0 +1,3 @@ +version=4 +opts="pgpmode=none, filenamemangle=s%(?:.*?)?v?(\d[\d.]*)\.tar\.gz%@myst-parser@-$1.tar.gz%" \ +https://github.com/executablebooks/markdown-it-py/tags (?:.*?/)?v?(\d[\d.]*)\.tar\.gz -- cgit v1.2.3