Ubuntu
python-markdown package

[MIR] python-markdown

Bug #1187191 reported by Adam Gandelman
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
python-markdown (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

Availability: Currently in universe.

Rationale: python-markdown is a dependency of cheetah, however, our Ubuntu delta on cheetah patches out python-markdown from d/control to avoid a component mismatch. This is currently causing issues for some packages that depend on cheetah (LP: #1183634), and projects that depend on cheetah could benefit from python-markdown (some may even require it). Rather than mantain delta on cheetah, we should promote python-markdown to main.

Security: Unable to find any CVE issues for python-markdown (python-markdown2 is a different story)

Quality Assurance: No Ubuntu delta, no Debian or Ubuntu bugs package actively maintained in Debian and upstream. Upstream ships a test suite that is enabled during package build.

Dependencies: All in main except python-tidylib (LP: #1187185)

See original description
Adam Gandelman (gandelman-a)
description: updated
description: updated
Revision history for this message
Michael Terry (mterry) wrote :

This looks fine from a packaging / maintainability standpoint. But since it is a parser, and markdown2 has security problems, I figure a quick security audit would be in order. Passing to security team.

Changed in python-markdown (Ubuntu):
assignee: nobody → Ubuntu Security Team (ubuntu-security)
Jamie Strandboge (jdstrand)
Changed in python-markdown (Ubuntu):
assignee: Ubuntu Security Team (ubuntu-security) → Seth Arnold (seth-arnold)
Revision history for this message
Seth Arnold (seth-arnold) wrote :

This should not be considered a complete security audit, but rather
a quick gauge of maintainability.

I audited python-markdown 2.3.1-1 as checked into Saucy.

- No CVE history
- Markdown's purpose is dual, first to make writing simple HTML easier,
  second to provide a safe way for untrusted users to produce HTML in
  web applications and elsewhere. Thus some input comes from trusted
  programmers, some input comes from untrusted users.
- Build-dep python-nose, python3-nose, are used as test runners.
- Build-dep python-tidylib is used during tests
  - python-markdown Suggests: the older python-utidylib for runtime use as
    one extension uses it
  - python3-markdown does not Suggest: python-tidylib, as no extensions use it
- No encryption, no networking, can use pygments, embeds portions of old
  ElementTree codebase
- No daemons, no services, no cron jobs, no init scripts, no dbus, no sudo
- One binary, simple markdown converter
- prerm cleans up postinst
- Clean build logs
- No spawned processes
- Defensive code often checks pre-conditions
- File manipulation looks safe, encodings managed using good tools
- No special environment variable handling
- No privileged operations
- Extensive tests run during build

python-markdown looks to be written in a professional manner. The extensive
tests would lend confidence to any maintenance that may become necessary.

Security team ACK for including into main.

Changed in python-markdown (Ubuntu):
assignee: Seth Arnold (seth-arnold) → nobody
Revision history for this message
Michael Terry (mterry) wrote :

Thanks, Seth. Approved then!

Changed in python-markdown (Ubuntu):
status: New → Fix Committed
Revision history for this message
Dmitry Shachnev (mitya57) wrote : Re: [Bug 1187191] Re: [MIR] python-markdown

On Fri, Jul 12, 2013 at 6:22 AM, Seth Arnold <email address hidden> wrote:
> - python-markdown Suggests: the older python-utidylib for runtime use as
> one extension uses it

This was an unwanted left-over from previous versions. The HtmlTidy
extension has been removed in 2.3.1, and I've now dropped that
suggestion in SVN.

Revision history for this message
Matthias Klose (doko) wrote :

Override component to main
python-markdown 2.3.1-1 in saucy: universe/python -> main
python-markdown 2.3.1-1 in saucy amd64: universe/python/optional/100% -> main
python-markdown 2.3.1-1 in saucy armhf: universe/python/optional/100% -> main
python-markdown 2.3.1-1 in saucy i386: universe/python/optional/100% -> main
python-markdown 2.3.1-1 in saucy powerpc: universe/python/optional/100% -> main
python-markdown-doc 2.3.1-1 in saucy amd64: universe/doc/optional/100% -> main
python-markdown-doc 2.3.1-1 in saucy armhf: universe/doc/optional/100% -> main
python-markdown-doc 2.3.1-1 in saucy i386: universe/doc/optional/100% -> main
python-markdown-doc 2.3.1-1 in saucy powerpc: universe/doc/optional/100% -> main
python3-markdown 2.3.1-1 in saucy amd64: universe/python/optional/100% -> main
python3-markdown 2.3.1-1 in saucy armhf: universe/python/optional/100% -> main
python3-markdown 2.3.1-1 in saucy i386: universe/python/optional/100% -> main
python3-markdown 2.3.1-1 in saucy powerpc: universe/python/optional/100% -> main
13 publications overridden.

Changed in python-markdown (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.