Quoting Guilhem Moulin (2023-07-25 13:34:52) > The following vulnerability was published for pandoc. > > CVE-2023-35936[0]: > | Starting in version 1.13 and prior to version 3.1.4, Pandoc is > | susceptible to an arbitrary file write vulnerability, which can be > | triggered by providing a specially crafted image element in the input > | when generating files using the `--extract-media` option or outputting > | to PDF format. This vulnerability allows an attacker to create or > | overwrite arbitrary files on the system, depending on the privileges of > | the process running pandoc. It only affects systems that pass untrusted > | user input to pandoc and allow pandoc to be used to produce a PDF or > | with the `--extract-media` option. […] Note that the `--sandbox` > | option, which only affects IO done by readers and writers themselves, > | does not block this vulnerability. > > I discovered that the upstream fix was incomplete while backporting it > to buster (LTS). Reported the finding upstream who promptly fixed it in > 3.1.6 [1]. Another CVE ID was assigned for this, namely CVE-2023-38745 [2]. > > The Security Team decided not to issue a DSA for these vulnerabilities, > but given they're about to be patched in buster it makes sense to patch > other suites, too. Please consider MR !3 for unstable: > https://salsa.debian.org/haskell-team/pandoc/-/merge_requests/3 . > debdiff attached for convenience. > > I've also prepared (and tested) a fix for bullseye [3] which I'm planing > to submit to -pu once sid is patched. Also planing to rebuild the > targeted fix for bookworm and submit it to s-pu. Let me know if you > object :-)
I have no objections at all - on the contrary: Thanks! I will have a look at applying the patch to trixie, then - since there is unfortunately little hope that the whole Haskell stack will get upgrading any time soon, so wi can have a more modern Pandoc. - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ * Sponsorship: https://ko-fi.com/drjones [x] quote me freely [ ] ask before reusing [ ] keep private
signature.asc
Description: signature
