rpms
/
pandoc
20
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

backport fixes for CVE-2023-35936 and CVE-2023-38745

Browse Source
epel9 imports/epel9/pandoc-2.14.0.3-17.el9
Jens Petersen 11 months ago
parent 0b86371751
commit 0c9252520b
3 changed files with 153 additions and 1 deletions
Show Stats Download Patch File Download Diff File

92
5e381e3878b5da87ee7542f7e51c3c1a7fd84b89-backport.patch
Unescape View File

@ -0,0 +1,92 @@
commit 5e381e3878b5da87ee7542f7e51c3c1a7fd84b89
Author: John MacFarlane <jgm@berkeley.edu>
Date: Tue Jun 20 13:50:13 2023 -0700
Fix a security vulnerability in MediaBag and T.P.Class.IO.writeMedia.
This vulnerability, discovered by Entroy C, allows users to write
arbitrary files to any location by feeding pandoc a specially crafted
URL in an image element. The vulnerability is serious for anyone
using pandoc to process untrusted input. The vulnerability does
not affect pandoc when run with the `--sandbox` flag.
--- pandoc-2.14.0.3/src/Text/Pandoc/Class/IO.hs.orig 2021-06-11 07:26:17.000000000 +0800
+++ pandoc-2.14.0.3/src/Text/Pandoc/Class/IO.hs 2024-03-22 16:39:03.445837785 +0800
@@ -48,7 +48,7 @@
import Network.HTTP.Client.TLS (mkManagerSettings)
import Network.HTTP.Types.Header ( hContentType )
import Network.Socket (withSocketsDo)
-import Network.URI (unEscapeString)
+import Network.URI (URI(..), parseURI)
import System.Directory (createDirectoryIfMissing)
import System.Environment (getEnv)
import System.FilePath ((</>), takeDirectory, normalise)
@@ -119,11 +119,11 @@
openURL :: (PandocMonad m, MonadIO m) => Text -> m (B.ByteString, Maybe MimeType)
openURL u
- | Just u'' <- T.stripPrefix "data:" u = do
- let mime = T.takeWhile (/=',') u''
- let contents = UTF8.fromString $
- unEscapeString $ T.unpack $ T.drop 1 $ T.dropWhile (/=',') u''
- return (decodeLenient contents, Just mime)
+ | Just (URI{ uriScheme = "data:",
+ uriPath = upath }) <- parseURI (T.unpack u) = do
+ let (mime, rest) = break (== '.') upath
+ let contents = UTF8.fromString $ drop 1 rest
+ return (decodeLenient contents, Just (T.pack mime))
| otherwise = do
let toReqHeader (n, v) = (CI.mk (UTF8.fromText n), UTF8.fromText v)
customHeaders <- map toReqHeader <$> getsCommonState stRequestHeaders
--- pandoc-2.14.0.3/src/Text/Pandoc/MediaBag.hs.orig 2021-06-19 04:15:43.000000000 +0800
+++ pandoc-2.14.0.3/src/Text/Pandoc/MediaBag.hs 2024-03-22 16:33:37.600005389 +0800
@@ -33,7 +33,7 @@
import Data.Text (Text)
import qualified Data.Text as T
import Data.Digest.Pure.SHA (sha1, showDigest)
-import Network.URI (URI (..), parseURI)
+import Network.URI (URI (..), parseURI, isURI, unEscapeString)
data MediaItem =
MediaItem
@@ -52,9 +52,12 @@
instance Show MediaBag where
show bag = "MediaBag " ++ show (mediaDirectory bag)
--- | We represent paths with /, in normalized form.
+-- | We represent paths with /, in normalized form. Percent-encoding
+-- is resolved.
canonicalize :: FilePath -> Text
-canonicalize = T.replace "\\" "/" . T.pack . normalise
+canonicalize fp
+ | isURI fp = T.pack fp
+ | otherwise = T.replace "\\" "/" . T.pack . normalise . unEscapeString $ fp
-- | Delete a media item from a 'MediaBag', or do nothing if no item corresponds
-- to the given path.
@@ -77,17 +80,18 @@
, mediaContents = contents
, mediaMimeType = mt }
fp' = canonicalize fp
+ fp'' = T.unpack fp'
uri = parseURI fp
- newpath = if isRelative fp
+ newpath = if isRelative fp''
&& isNothing uri
- && ".." `notElem` splitPath fp
- then T.unpack fp'
+ && not (".." `T.isInfixOf` fp')
+ then fp''
else showDigest (sha1 contents) <> "." <> ext
- fallback = case takeExtension fp of
- ".gz" -> getMimeTypeDef $ dropExtension fp
- _ -> getMimeTypeDef fp
+ fallback = case takeExtension fp'' of
+ ".gz" -> getMimeTypeDef $ dropExtension fp''
+ _ -> getMimeTypeDef fp''
mt = fromMaybe fallback mbMime
- path = maybe fp uriPath uri
+ path = maybe fp'' (unEscapeString . uriPath) uri
ext = case takeExtension path of
'.':e -> e
_ -> maybe "" T.unpack $ extensionFromMimeType mt

49
eddedbfc14916aa06fc01ff04b38aeb30ae2e625-backport.patch
Unescape View File

@ -0,0 +1,49 @@
commit eddedbfc14916aa06fc01ff04b38aeb30ae2e625
Author: John MacFarlane <jgm@berkeley.edu>
Date: Thu Jul 20 09:26:38 2023 -0700
Fix new variant of the vulnerability in CVE-2023-35936.
Guilhem Moulin noticed that the fix to CVE-2023-35936 was incomplete.
An attacker could get around it by double-encoding the malicious
extension to create or override arbitrary files.
$ echo '![](data://image/png;base64,cHJpbnQgImhlbGxvIgo=;.lua+%252f%252e%252e%252f%252e%252e%252fb%252elua)' >b.md
$ .cabal/bin/pandoc b.md --extract-media=bar
<p><img
src="bar/2a0eaa89f43fada3e6c577beea4f2f8f53ab6a1d.lua+%2f%2e%2e%2f%2e%2e%2fb%2elua" /></p>
$ cat b.lua
print "hello"
$ find bar
bar/
bar/2a0eaa89f43fada3e6c577beea4f2f8f53ab6a1d.lua+
This commit adds a test case for this more complex attack and fixes
the vulnerability. (The fix is quite simple: if the URL-unescaped
filename or extension contains a '%', we just use the sha1 hash of the
contents as the canonical name, just as we do if the filename contains
'..'.)
--- pandoc-2.14.0.3/src/Text/Pandoc/MediaBag.hs.orig 2024-03-22 16:40:07.874200094 +0800
+++ pandoc-2.14.0.3/src/Text/Pandoc/MediaBag.hs 2024-03-22 16:42:13.289905373 +0800
@@ -85,16 +85,17 @@
newpath = if isRelative fp''
&& isNothing uri
&& not (".." `T.isInfixOf` fp')
+ && '%' `notElem` fp''
then fp''
- else showDigest (sha1 contents) <> "." <> ext
+ else showDigest (sha1 contents) <> ext
fallback = case takeExtension fp'' of
".gz" -> getMimeTypeDef $ dropExtension fp''
_ -> getMimeTypeDef fp''
mt = fromMaybe fallback mbMime
path = maybe fp'' (unEscapeString . uriPath) uri
ext = case takeExtension path of
- '.':e -> e
- _ -> maybe "" T.unpack $ extensionFromMimeType mt
+ '.':e | '%' `notElem` e -> '.':e
+ _ -> maybe "" (\x -> '.':T.unpack x) $ extensionFromMimeType mt
-- | Lookup a media item in a 'MediaBag', returning mime type and contents.

13
pandoc.spec
Unescape View File

@ -21,7 +21,7 @@
Name: %{pkg_name}
Version: 2.14.0.3
# can only be reset when all subpkgs bumped
Release: 16%{?dist}
Release: 17%{?dist}
Summary: Conversion between markup formats
License: GPLv2+
@ -39,6 +39,12 @@ Source8: https://hackage.haskell.org/package/%{commonmarkpandoc}/%{common
Source9: https://hackage.haskell.org/package/%{hsluamodulepath}/%{hsluamodulepath}.tar.gz
Source10: https://hackage.haskell.org/package/%{unicodecollation}/%{unicodecollation}.tar.gz
# End cabal-rpm sources
# CVE-2023-35936
# https://github.com/jgm/pandoc/commit/5e381e3878b5da87ee7542f7e51c3c1a7fd84b89
Patch1: 5e381e3878b5da87ee7542f7e51c3c1a7fd84b89-backport.patch
# CVE-2023-38745
# https://github.com/jgm/pandoc/commit/eddedbfc14916aa06fc01ff04b38aeb30ae2e625
Patch2: eddedbfc14916aa06fc01ff04b38aeb30ae2e625-backport.patch
# Begin cabal-rpm deps:
BuildRequires: ghc-Cabal-devel
@ -240,6 +246,8 @@ This package provides the Haskell %{name} profiling library.
# Begin cabal-rpm setup:
%setup -q -a1 -a2 -a3 -a4 -a5 -a6 -a7 -a8 -a9 -a10
# End cabal-rpm setup
%patch -P1 -p1 -b .orig
%patch -P2 -p1 -b .orig
%build
@ -315,6 +323,9 @@ touch %{buildroot}%{_datadir}/bash-completion/completions/%{name}
%changelog
* Fri Mar 22 2024 Jens Petersen <petersen@redhat.com> - 2.14.0.3-17
- backport fixes for CVE-2023-35936 and CVE-2023-38745
* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2.14.0.3-16
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild

Write Preview
Loading…
Cancel
Save