[MIR] markdown-it-py

Bug #2003568 reported by Danilo Egea Gondolfo
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
markdown-it-py (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

[Availability]
The package markdown-it-py is already in Ubuntu universe.
The package markdown-it-py build for the architectures it is designed to work on.
It currently builds and works for architetcures: all
Link to package https://launchpad.net/ubuntu/+source/markdown-it-py

[Rationale]
- The package markdown-it-py is required in Ubuntu main as it will be used by netplan.io (it's a dependency of src:rich, which is a dependency of netplan.io), which is already in main.
- The package markdown-it-py will generally be useful for a large part of our user base
- The package markdown-it-py is a new runtime dependency of package netplan.io (through src:rich) that we already support
- The package python3-rich itself not yet depends on markdown-it-py but upstream just migrated to it and rich will depend on it when the maintainer update the package.

- The package markdown-it-py is required in Ubuntu main no later than Feb 23 due to feature freeze.

[Security]
- Had 0 security issues in the past
- No CVEs/security issues in this software in the past

- no `suid` or `sgid` binaries
- no executables in `/sbin` and `/usr/sbin`
- Package does not install services, timers or recurring jobs
- Packages does not open privileged ports (ports < 1024)
- Packages does not contain extensions to security-sensitive software

[Quality assurance - function/usage]
- The package works well right after install

[Quality assurance - maintenance]
- The package is maintained well in Debian/Ubuntu and has not too many and long term critical bugs open
- Ubuntu https://bugs.launchpad.net/ubuntu/+source/markdown-it-py/+bug
- Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=markdown-it-py

[Quality assurance - testing]
- The package runs a test suite on build time, if it fails it makes the build fail, link to build log https://launchpadlibrarian.net/632298609/buildlog_ubuntu-lunar-amd64.markdown-it-py_2.1.0-4_BUILDING.txt.gz

- The package runs an autopkgtest, and is currently passing on all but i386 architectures, link to test logs https://autopkgtest.ubuntu.com/packages/markdown-it-py

- The package does have not failing autopkgtests right now

[Quality assurance - packaging]
- debian/watch is present and works

- debian/control defines a correct Maintainer field

- This package does not yield massive lintian Warnings, Errors
- Please link to a recent build log of the package https://launchpadlibrarian.net/632298609/buildlog_ubuntu-lunar-amd64.markdown-it-py_2.1.0-4_BUILDING.txt.gz

- This package does not rely on obsolete or about to be demoted packages.
- This package has no python2 or GTK2 dependencies

- The package will be installed by default, but does not ask debconf questions higher than medium

- Packaging and build is easy, link to d/rules https://git.launchpad.net/ubuntu/+source/markdown-it-py/tree/debian/rules

[UI standards]
- Application is not end-user facing (does not need translation)

[Dependencies]
- There are further dependencies that are not yet in main, MIR for them is at:
python-typing-extensions: https://bugs.launchpad.net/ubuntu/+source/python-typing-extensions/+bug/2002821
mdurl: https://bugs.launchpad.net/ubuntu/+source/mdurl/+bug/2002818

[Standards compliance]
- This package correctly follows FHS and Debian Policy

[Maintenance/Owner]
- Team is not yet, but will subscribe to the package before promotion

- This does not use static builds

- This does not use vendored code

- This package is not rust based

- The package successfully built during the most recent test rebuild

[Background information]
The Package description explains the package well
Upstream Name is markdown-it-py
Link to upstream project https://github.com/executablebooks/markdown-it-py

Tags: sec-1640

CVE References

Revision history for this message
Danilo Egea Gondolfo (danilogondolfo) wrote :

$ lintian --pedantic
E: markdown-it-py changes: bad-distribution-in-changes-file unstable
P: markdown-it-py source: very-long-line-length-in-source-file 1912 > 512 [markdown_it/common/utils.py:226]
P: markdown-it-py source: very-long-line-length-in-source-file 882 > 512 [benchmarking/samples/lorem1.txt:3]

Changed in markdown-it-py (Ubuntu):
assignee: nobody → Ioanna Alifieraki (joalif)
Revision history for this message
Ioanna Alifieraki (joalif) wrote :
Download full text (3.4 KiB)

Review for Package: markdown-it-py

[Summary]
The package looks ok, it'll need sec review and it's good to go once
it's dependencies are in main.
MIR team ACK under the constraint to resolve the below listed
required TODOs.
This does need a security review, so I'll assign ubuntu-security
List of specific binary packages to be promoted to main: python3-markdown-it

Notes:
Required TODOs:
Dependencies required in main first, both under MIR process:
1. https://bugs.launchpad.net/ubuntu/+source/python-typing-extensions/+bug/2002821
2. https://bugs.launchpad.net/ubuntu/+source/mdurl/+bug/2002818

- The package should get a team bug subscriber before being promoted

[Duplication]
Package markdown-it-py is required in main as indirect dependency of netplan.

[Dependencies]
OK:
- no -dev/-debug/-doc packages that need exclusion
- No dependencies in main that are only superficially tested requiring
  more tests now.

Problems:
- 2 more dependencies to MIR, already under MIR process:
  - https://bugs.launchpad.net/ubuntu/+source/python-typing-extensions/+bug/2002821
  - https://bugs.launchpad.net/ubuntu/+source/mdurl/+bug/2002818

[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking
- does not have unexpected Built-Using entries
- not a go package, no extra constraints to consider in that regard
- not a rust package, no extra constraints to consider in that regard
- Does not include vendored code

Problems: None

[Security]
OK:
- history of CVEs does not look concerning
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not open a port/socket
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
- does not deal with security attestation (secure boot, tpm, signatures)
- does not deal with cryptography (en-/decryption, certificates, signing, ...)

Problems:
- does parse data formats (files [images, video, audio,
  xml, json, asn.1], network packets, structures, ...) from
  an untrusted source.

[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs at build time
  - test suite fails will fail the build upon error.
- does have a non-trivial test suite that runs as autopkgtest
- This does not need special HW for build or test
- no new python2 dependency
- Python package, but using dh_python

Problems: None

[Packaging red flags]
OK:
- Ubuntu does not carry a delta
- symbols tracking not applicable for this kind of code.
- d/watch is present and looks ok (if needed, e.g. non-native)
- Upstream update history is good
- Debian/Ubuntu update history is good
- the current release is packaged
- promoting this does not seem to cause issues for MOTUs that so far
  maintained the package
- no massive Lintian warnings
- d/rules is rather clean
- It is not on the lto-disabled list

Problems: None

[Upstream red flags]
OK:
- no Errors/warnings during the build
- no incautious use of malloc/sprintf (the language has no direct MM)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH (usage is OK inside
  tests)
- no ...

Read more...

Changed in markdown-it-py (Ubuntu):
assignee: Ioanna Alifieraki (joalif) → nobody
assignee: nobody → Ubuntu Security Team (ubuntu-security)
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Which team will own this package? The MIR template text looks to have been overlooked.

Thanks

tags: added: sec-1640
Revision history for this message
Danilo Egea Gondolfo (danilogondolfo) wrote :

Foundations will own it.

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Thanks, I've updated our Jira ticket to put it in the right lane.

Revision history for this message
Lukas Märdian (slyon) wrote :

Status update:

I subscribed ~foundations-bugs.

Two MIR dependencies
  - https://bugs.launchpad.net/ubuntu/+source/python-typing-extensions/+bug/2002821 - is ready to be promoted
  - https://bugs.launchpad.net/ubuntu/+source/mdurl/+bug/2002818 - is pending sec review, but otherwise ready to be promoted

So I think this MIR is almost ready and can be promoted after sec-review and after the two dependencies got promoted.

Revision history for this message
Mark Esler (eslerm) wrote :

I reviewed markdown-it-py 2.1.0-3 as checked into kinetic. This shouldn't be considered a full audit but rather a quick gauge of maintainability.

> Markdown parser, done right. 100% CommonMark support, extensions, syntax plugins & high speed. Now in Python!

- CVE History:
  - none
  - crash reported, but not reproducible on v2.1
    - https://github.com/executablebooks/markdown-it-py/issues/175
  - user controlled crash methods (DoS) identified by Ubuntu Security
  - no upstream Security Policy
- Build-Depends?
  - lunar main
    - debhelper-compat (debhelper)
    - python3-all (python3-defaults)
    - python3-attr (python-attrs)
    - python3-markdown (python-markdown)
    - python3-sphinx (sphinx)
  - lunar universe
    - flit
    - pybuild-plugin-pyproject
    - python3-commonmark (commonmark)
    - python3-pytest (dh-python)
    - python3-pytest (pytest)
    - python3-mdurl (other MIR open)
    - python3-mistletoe (python-mistletoe)
    - python3-mistune (mistune)
    - python3-psutil (python-psutil)
- pre/post inst/rm scripts?
  - yes, standard prerm and postinst generated by dh-python
- init scripts?
  - none
- systemd units?
  - none
- dbus services?
  - none
- setuid binaries?
  - none
- binaries in PATH?
  - ./usr/bin/markdown-it
- sudo fragments?
  - none
- polkit files?
  - none
- udev rules?
  - none
- unit tests / autopkgtests?
  - has build tests and autopkgtests
  - autopkgtests failing on i386, not a problem as pytest also fails
- cron jobs?
  - none
- Build logs:
  - W: python3-markdown-it: no-manual-page [usr/bin/markdown-it]
  - nothing concerning

- Processes spawned?
  - none
- Memory management?
  - standard python
- File IO?
  - looks safe
- Logging?
  - looks safe
  - single use of UserWarning
  - stderr if file IO fails
  - all other cases use the builtin `logging` library for debug messages
- Environment variable usage?
  - none
- Use of privileged functions?
  - none
- Use of cryptography / random number sources etc?
  - none
- Use of temp files?
  - none
- Use of networking?
  - none
- Use of WebKit?
  - none
- Use of PolicyKit?
  - none

- Any significant cppcheck results?
  - none
- Any significant Coverity results?
  - none
- Any significant shellcheck results?
  - none
- Any significant bandit results?
  - two try-except-passes in normalize_url.py

Sanitization functions are implemented and some in-line comments clearly document that XSS attempts are being checked.

Some regex is (inherently) obtuse. See UNICODE_PUNCT_RE.

Quite a few functions are just raise NotImplementedError

escapeHtml() is commented as needing dev review.

linkify_it is an optional runtime dependency. A patch to `markdown_it/main.py` could force `linkify_it = None` if linkify_it is not desired in main.

The Security Team discovered and is coordinating with upstream to disclose CVE-2023-26302 and CVE-2023-26303. When upstream releases patches for these vulnerabilities the Security Team will publish CVEs and notify the owning team that patches are ready to be applied.

Security team ACK for promoting markdown-it-py to main, after removing the optional linkify-it runtime dependency is considered.

Changed in markdown-it-py (Ubuntu):
assignee: Ubuntu Security Team (ubuntu-security) → nobody
status: New → In Progress
Revision history for this message
Mark Esler (eslerm) wrote :

If possible, please promote v2.2.0 to main which fixes CVE-2023-26302 and CVE-2023-26303. A Security Policy was also added in this release.

Huge thanks to @<email address hidden> for their speedy response!

Revision history for this message
Lukas Märdian (slyon) wrote :

The code in markdown_it/main.py is like this:
```
try:
    import linkify_it
except ModuleNotFoundError:
    linkify_it = None
```

So if linkify-it is not installed, it will already be defined as "= None". Our debian/control file does not define any runtime dependency (or recommends) on linkify-it, so IMO there's no need patch it out in a hard-coded way, as it's already unused in the status quo. No MIR for linkify-it needed. Should this situation change in the future (e.g. Debian enabling linkify-it, we can re-consider this).

Debian is currently in Soft Freeze and Ubuntu is (almost) in Feature Freeze, so I think it's kind of hard to get the new 2.2.0 version landed via Debian in time. And I don't think we should move ahead of Debian one day before feature freeze to import the new upstream version. What I did, though, is cherry-picking the two CVE fixes: https://launchpad.net/ubuntu/+source/markdown-it-py/2.1.0-4ubuntu1

Revision history for this message
Lukas Märdian (slyon) wrote :

The two dependency MIRs (python-typing-extensions & mdurl) got promoted already, so I think this is now ready for promotion, too. After MIR ACK and SEC ACK.

Changed in markdown-it-py (Ubuntu):
status: In Progress → Fix Committed
Revision history for this message
Mark Esler (eslerm) wrote :

Thanks Lukas. Appreciate the CVE patches.

Revision history for this message
Steve Langasek (vorlon) wrote :

Override component to main
markdown-it-py 2.1.0-4ubuntu1 in lunar: universe/misc -> main
python3-markdown-it 2.1.0-4ubuntu1 in lunar amd64: universe/python/optional/100% -> main
python3-markdown-it 2.1.0-4ubuntu1 in lunar arm64: universe/python/optional/100% -> main
python3-markdown-it 2.1.0-4ubuntu1 in lunar armhf: universe/python/optional/100% -> main
python3-markdown-it 2.1.0-4ubuntu1 in lunar i386: universe/python/optional/100% -> main
python3-markdown-it 2.1.0-4ubuntu1 in lunar ppc64el: universe/python/optional/100% -> main
python3-markdown-it 2.1.0-4ubuntu1 in lunar riscv64: universe/python/optional/100% -> main
python3-markdown-it 2.1.0-4ubuntu1 in lunar s390x: universe/python/optional/100% -> main
8 publications overridden.

Changed in markdown-it-py (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.