Debian Patches

Status for haskell-pandoc/3.1.3-1

Patch Description Author Forwarded Bugs Origin Last update
f9153e86bbb0b0b5a6722dded757b43c59f3e057.patch [PATCH] Update tests for skylighting-format-blaze-html change. John MacFarlane <> no 2023-08-27
undo-xml-light-internal-library no
020230620~5e381e3.patch fix a security vulnerability in MediaBag and T.P.Class.IO.writeMedia This vulnerability, discovered by Entroy C,
allows users to write arbitrary files to any location
by feeding pandoc a specially crafted URL in an image element.
The vulnerability is serious
for anyone using pandoc to process untrusted input.
The vulnerability does not affect pandoc
when run with the `--sandbox` flag.
John MacFarlane <> yes debian upstream upstream, 2023-07-25
020230623.1~54561e9.patch fix bug in git commit 5e381e3 In the new code a comma mysteriously turned into a period.
This would have prevented proper separation
of the mime type and content in data uris.
Thanks to @hseg for catching this.
John MacFarlane <> yes debian upstream upstream, 2023-07-25
020230623.2~df4f13b.patch more fixes to git commit 5e381e3 These changes recognize that parseURI does not unescape the path.
Another change is that the canonical form
of the path used as the MediaBag key
retains percent-encoding, if present;
we only unescape the string when writing to a file.
Some tests are needed before the issue can be closed.
John MacFarlane <> yes debian upstream upstream, 2023-07-25
020230623.3~fe62da6.patch add tests for fillMediaBag/extractMedia John MacFarlane <> yes debian upstream upstream, 2023-07-25
020230623.4~5246f02.patch improve tests for fillMediaBag/extractMedia Ensure that the current directory is not changed up if a test fails,
and fix messages for the assertion failures.
John MacFarlane <> yes debian upstream upstream, 2023-07-25
020230720~eddedbf.patch ix new variant of the vulnerability in CVE-2023-35936 Guilhem Moulin noticed that the fix to CVE-2023-35936 was incomplete.
An attacker could get around it
by double-encoding the malicious extension
to create or override arbitrary files.
$ echo '![](data://image/png;base64,cHJpbnQgImhlbGxvIgo=;.lua+%252f%252e%252e%252f%252e%252e%252fb%252elua)' >
$ .cabal/bin/pandoc --extract-media=bar
src="bar/2a0eaa89f43fada3e6c577beea4f2f8f53ab6a1d.lua+%2f%2e%2e%2f%2e%2e%2fb%2elua" /></p>
$ cat b.lua
print "hello"
$ find bar
This commit adds a test case for this more complex attack
and fixes the vulnerability.
(The fix is quite simple:
if the URL-unescaped filename or extension contains a '%',
we just use the sha1 hash of the contents as the canonical name,
just as we do if the filename contains '..'.)
John MacFarlane <> yes debian upstream upstream, 2023-07-25
8b523749aebb67f709fe7348b412f3e5e629ceb4.patch [PATCH] Revert "Use base64 instead of base64-bytestring."
This reverts commit 6625e9655ed2bb0c4bd4dd91b5959a103deab1cb.

base64 is currently buggy on 32-bit systems. Closes #9233.
John MacFarlane <> no 2023-12-06
2001_templates_avoid_privacy_breach.patch Avoid potential privacy breaches in templates Jonas Smedegaard <> no 2018-06-12
2002_program_package_hint.patch Improve error message when pdf program is missing Jonas Smedegaard <> no 2018-09-01

All known versions for source package 'haskell-pandoc'