Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package ghc-pandoc for openSUSE:Factory checked in at 2023-07-18 21:54:23 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/ghc-pandoc (Old) and /work/SRC/openSUSE:Factory/.ghc-pandoc.new.3193 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "ghc-pandoc" Tue Jul 18 21:54:23 2023 rev:4 rq:1098954 version:3.1.3 Changes: -------- --- /work/SRC/openSUSE:Factory/ghc-pandoc/ghc-pandoc.changes 2023-06-22 23:25:57.473810002 +0200 +++ /work/SRC/openSUSE:Factory/.ghc-pandoc.new.3193/ghc-pandoc.changes 2023-07-18 21:54:38.358465731 +0200 @@ -1,0 +2,7 @@ +Fri Jul 14 18:45:26 UTC 2023 - Peter Simons <[email protected]> + +- Apply "CVE-2023-35936.patch" to fix an arbitrary file write issue + that was possible when using PDF output or --extract-media with + untrusted input. [bsc#1213066, CVE-2023-35936] + +------------------------------------------------------------------- New: ---- CVE-2023-35936.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ ghc-pandoc.spec ++++++ --- /var/tmp/diff_new_pack.6fQaq4/_old 2023-07-18 21:54:39.022469443 +0200 +++ /var/tmp/diff_new_pack.6fQaq4/_new 2023-07-18 21:54:39.026469466 +0200 @@ -26,6 +26,7 @@ License: GPL-2.0-or-later URL: https://hackage.haskell.org/package/%{pkg_name} Source0: https://hackage.haskell.org/package/%{pkg_name}-%{version}/%{pkg_name}-%{version}.tar.gz +Patch1: CVE-2023-35936.patch BuildRequires: ghc-Cabal-devel BuildRequires: ghc-Glob-devel BuildRequires: ghc-Glob-prof @@ -229,7 +230,7 @@ This package provides the Haskell %{pkg_name} profiling library. %prep -%autosetup -n %{pkg_name}-%{version} +%autosetup -p1 -n %{pkg_name}-%{version} %build %ghc_lib_build ++++++ CVE-2023-35936.patch ++++++ >From 5e381e3878b5da87ee7542f7e51c3c1a7fd84b89 Mon Sep 17 00:00:00 2001 From: John MacFarlane <[email protected]> Date: Tue, 20 Jun 2023 13:50:13 -0700 Subject: [PATCH] Fix a security vulnerability in MediaBag and T.P.Class.IO.writeMedia. This vulnerability, discovered by Entroy C, allows users to write arbitrary files to any location by feeding pandoc a specially crafted URL in an image element. The vulnerability is serious for anyone using pandoc to process untrusted input. The vulnerability does not affect pandoc when run with the `--sandbox` flag. --- src/Text/Pandoc/Class/IO.hs | 14 +++++++------- src/Text/Pandoc/MediaBag.hs | 28 ++++++++++++++++------------ 2 files changed, 23 insertions(+), 19 deletions(-) Index: pandoc-3.1.3/src/Text/Pandoc/Class/IO.hs =================================================================== --- pandoc-3.1.3.orig/src/Text/Pandoc/Class/IO.hs 2001-09-09 01:46:40.000000000 +0000 +++ pandoc-3.1.3/src/Text/Pandoc/Class/IO.hs 2023-07-14 18:39:12.169005026 +0000 @@ -50,7 +50,7 @@ import Network.HTTP.Client.Internal (add import Network.HTTP.Client.TLS (mkManagerSettings) import Network.HTTP.Types.Header ( hContentType ) import Network.Socket (withSocketsDo) -import Network.URI (unEscapeString) +import Network.URI (URI(..), parseURI) import System.Directory (createDirectoryIfMissing) import System.Environment (getEnv) import System.FilePath ((</>), takeDirectory, normalise) @@ -122,11 +122,11 @@ newUniqueHash = hashUnique <$> liftIO Da openURL :: (PandocMonad m, MonadIO m) => Text -> m (B.ByteString, Maybe MimeType) openURL u - | Just u'' <- T.stripPrefix "data:" u = do - let mime = T.takeWhile (/=',') u'' - let contents = UTF8.fromString $ - unEscapeString $ T.unpack $ T.drop 1 $ T.dropWhile (/=',') u'' - return (decodeBase64Lenient contents, Just mime) + | Just (URI{ uriScheme = "data:", + uriPath = upath }) <- parseURI (T.unpack u) = do + let (mime, rest) = break (== '.') upath + let contents = UTF8.fromString $ drop 1 rest + return (decodeBase64Lenient contents, Just (T.pack mime)) | otherwise = do let toReqHeader (n, v) = (CI.mk (UTF8.fromText n), UTF8.fromText v) customHeaders <- map toReqHeader <$> getsCommonState stRequestHeaders @@ -224,7 +224,7 @@ writeMedia :: (PandocMonad m, MonadIO m) -> m () writeMedia dir (fp, _mt, bs) = do -- we normalize to get proper path separators for the platform - let fullpath = normalise $ dir </> unEscapeString fp + let fullpath = normalise $ dir </> fp liftIOError (createDirectoryIfMissing True) (takeDirectory fullpath) logIOError $ BL.writeFile fullpath bs Index: pandoc-3.1.3/src/Text/Pandoc/MediaBag.hs =================================================================== --- pandoc-3.1.3.orig/src/Text/Pandoc/MediaBag.hs 2001-09-09 01:46:40.000000000 +0000 +++ pandoc-3.1.3/src/Text/Pandoc/MediaBag.hs 2023-07-14 18:39:12.170005139 +0000 @@ -28,6 +28,7 @@ import Data.Data (Data) import qualified Data.Map as M import Data.Maybe (fromMaybe, isNothing) import Data.Typeable (Typeable) +import Network.URI (unEscapeString) import System.FilePath import qualified System.FilePath.Posix as Posix import qualified System.FilePath.Windows as Windows @@ -35,7 +36,7 @@ import Text.Pandoc.MIME (MimeType, getMi import Data.Text (Text) import qualified Data.Text as T import Data.Digest.Pure.SHA (sha1, showDigest) -import Network.URI (URI (..), parseURI) +import Network.URI (URI (..), parseURI, isURI) data MediaItem = MediaItem @@ -54,9 +55,12 @@ newtype MediaBag = MediaBag (M.Map Text instance Show MediaBag where show bag = "MediaBag " ++ show (mediaDirectory bag) --- | We represent paths with /, in normalized form. +-- | We represent paths with /, in normalized form. Percent-encoding +-- is resolved. canonicalize :: FilePath -> Text -canonicalize = T.replace "\\" "/" . T.pack . normalise +canonicalize fp + | isURI fp = T.pack fp + | otherwise = T.replace "\\" "/" . T.pack . normalise . unEscapeString $ fp -- | Delete a media item from a 'MediaBag', or do nothing if no item corresponds -- to the given path. @@ -79,23 +83,23 @@ insertMedia fp mbMime contents (MediaBag , mediaContents = contents , mediaMimeType = mt } fp' = canonicalize fp + fp'' = T.unpack fp' uri = parseURI fp - newpath = if Posix.isRelative fp - && Windows.isRelative fp + newpath = if Posix.isRelative fp'' + && Windows.isRelative fp'' && isNothing uri - && ".." `notElem` splitDirectories fp - then T.unpack fp' + && not (".." `T.isInfixOf` fp') + then fp'' else showDigest (sha1 contents) <> "." <> ext - fallback = case takeExtension fp of - ".gz" -> getMimeTypeDef $ dropExtension fp - _ -> getMimeTypeDef fp + fallback = case takeExtension fp'' of + ".gz" -> getMimeTypeDef $ dropExtension fp'' + _ -> getMimeTypeDef fp'' mt = fromMaybe fallback mbMime - path = maybe fp uriPath uri + path = maybe fp'' (unEscapeString . uriPath) uri ext = case takeExtension path of '.':e -> e _ -> maybe "" T.unpack $ extensionFromMimeType mt - -- | Lookup a media item in a 'MediaBag', returning mime type and contents. lookupMedia :: FilePath -> MediaBag
