Bug#1041976: pandoc: CVE-2023-35936

To: 1041976@bugs.debian.org, Guilhem Moulin <guilhem@debian.org>
Subject: Bug#1041976: pandoc: CVE-2023-35936
From: Jonas Smedegaard <jonas@jones.dk>
Date: Tue, 25 Jul 2023 14:39:29 +0200
Message-id: <[🔎] 169028876914.2274904.15931266124931464311@auryn.jones.dk>
Reply-to: Jonas Smedegaard <jonas@jones.dk>, 1041976@bugs.debian.org
In-reply-to: <[🔎] ZL+zXLRU8+MbDPfP@debian.org>
References: <[🔎] ZL+zXLRU8+MbDPfP@debian.org> <[🔎] ZL+zXLRU8+MbDPfP@debian.org>

Quoting Guilhem Moulin (2023-07-25 13:34:52)
> The following vulnerability was published for pandoc.
> 
> CVE-2023-35936[0]:
> | Starting in version 1.13 and prior to version 3.1.4, Pandoc is
> | susceptible to an arbitrary file write vulnerability, which can be
> | triggered by providing a specially crafted image element in the input
> | when generating files using the `--extract-media` option or outputting
> | to PDF format.  This vulnerability allows an attacker to create or
> | overwrite arbitrary files on the system, depending on the privileges of
> | the process running pandoc.  It only affects systems that pass untrusted
> | user input to pandoc and allow pandoc to be used to produce a PDF or
> | with the `--extract-media` option.  […]  Note that the `--sandbox`
> | option, which only affects IO done by readers and writers themselves,
> | does not block this vulnerability.
> 
> I discovered that the upstream fix was incomplete while backporting it
> to buster (LTS).  Reported the finding upstream who promptly fixed it in
> 3.1.6 [1].  Another CVE ID was assigned for this, namely CVE-2023-38745 [2].
> 
> The Security Team decided not to issue a DSA for these vulnerabilities,
> but given they're about to be patched in buster it makes sense to patch
> other suites, too.  Please consider MR !3 for unstable:
> https://salsa.debian.org/haskell-team/pandoc/-/merge_requests/3 .
> debdiff attached for convenience.
> 
> I've also prepared (and tested) a fix for bullseye [3] which I'm planing
> to submit to -pu once sid is patched.  Also planing to rebuild the
> targeted fix for bookworm and submit it to s-pu.  Let me know if you
> object :-)

I have no objections at all - on the contrary: Thanks!

I will have a look at applying the patch to trixie, then - since there
is unfortunately little hope that the whole Haskell stack will get
upgrading any time soon, so wi can have a more modern Pandoc.


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/
 * Sponsorship: https://ko-fi.com/drjones

 [x] quote me freely  [ ] ask before reusing  [ ] keep private

Attachment: signature.asc
Description: signature

Reply to:

Follow-Ups:
- Bug#1041976: pandoc: CVE-2023-35936
  - From: Guilhem Moulin <guilhem@debian.org>

References:
- Bug#1041976: pandoc: CVE-2023-35936
  - From: Guilhem Moulin <guilhem@debian.org>

Prev by Date: Bug#1041976: pandoc: CVE-2023-35936
Next by Date: Processed: fixed 1041976 in 2.2.1-3+deb10u1
Previous by thread: Processed: pandoc: CVE-2023-35936
Next by thread: Bug#1041976: pandoc: CVE-2023-35936
Index(es):
- Date
- Thread