Debian Patches

Status for haskell-pandoc/3.1.3-1

Patch Description Author Forwarded Bugs Origin Last update
f9153e86bbb0b0b5a6722dded757b43c59f3e057.patch [PATCH] Update tests for skylighting-format-blaze-html change. John MacFarlane <jgm@berkeley.edu> no 2023-08-27
undo-xml-light-internal-library no
020230620~5e381e3.patch fix a security vulnerability in MediaBag and T.P.Class.IO.writeMedia This vulnerability, discovered by Entroy C,
allows users to write arbitrary files to any location
by feeding pandoc a specially crafted URL in an image element.
The vulnerability is serious
for anyone using pandoc to process untrusted input.
The vulnerability does not affect pandoc
when run with the `--sandbox` flag.
John MacFarlane <jgm@berkeley.edu> yes debian upstream upstream, https://github.com/jgm/pandoc/commit/5e381e3 2023-07-25
020230623.1~54561e9.patch fix bug in git commit 5e381e3 In the new code a comma mysteriously turned into a period.
This would have prevented proper separation
of the mime type and content in data uris.
Thanks to @hseg for catching this.
John MacFarlane <jgm@berkeley.edu> yes debian upstream upstream, https://github.com/jgm/pandoc/commit/54561e9 2023-07-25
020230623.2~df4f13b.patch more fixes to git commit 5e381e3 These changes recognize that parseURI does not unescape the path.
.
Another change is that the canonical form
of the path used as the MediaBag key
retains percent-encoding, if present;
we only unescape the string when writing to a file.
.
Some tests are needed before the issue can be closed.
John MacFarlane <jgm@berkeley.edu> yes debian upstream upstream, https://github.com/jgm/pandoc/commit/df4f13b 2023-07-25
020230623.3~fe62da6.patch add tests for fillMediaBag/extractMedia John MacFarlane <jgm@berkeley.edu> yes debian upstream upstream, https://github.com/jgm/pandoc/commit/fe62da6 2023-07-25
020230623.4~5246f02.patch improve tests for fillMediaBag/extractMedia Ensure that the current directory is not changed up if a test fails,
and fix messages for the assertion failures.
John MacFarlane <jgm@berkeley.edu> yes debian upstream upstream, https://github.com/jgm/pandoc/commit/5246f02 2023-07-25
020230720~eddedbf.patch ix new variant of the vulnerability in CVE-2023-35936 Guilhem Moulin noticed that the fix to CVE-2023-35936 was incomplete.
An attacker could get around it
by double-encoding the malicious extension
to create or override arbitrary files.
.
$ echo '![](data://image/png;base64,cHJpbnQgImhlbGxvIgo=;.lua+%252f%252e%252e%252f%252e%252e%252fb%252elua)' >b.md
$ .cabal/bin/pandoc b.md --extract-media=bar
<p><img
src="bar/2a0eaa89f43fada3e6c577beea4f2f8f53ab6a1d.lua+%2f%2e%2e%2f%2e%2e%2fb%2elua" /></p>
$ cat b.lua
print "hello"
$ find bar
bar/
bar/2a0eaa89f43fada3e6c577beea4f2f8f53ab6a1d.lua+
.
This commit adds a test case for this more complex attack
and fixes the vulnerability.
(The fix is quite simple:
if the URL-unescaped filename or extension contains a '%',
we just use the sha1 hash of the contents as the canonical name,
just as we do if the filename contains '..'.)
John MacFarlane <jgm@berkeley.edu> yes debian upstream upstream, https://github.com/jgm/pandoc/commit/eddedbf 2023-07-25
8b523749aebb67f709fe7348b412f3e5e629ceb4.patch [PATCH] Revert "Use base64 instead of base64-bytestring."
This reverts commit 6625e9655ed2bb0c4bd4dd91b5959a103deab1cb.

base64 is currently buggy on 32-bit systems. Closes #9233.
John MacFarlane <jgm@berkeley.edu> no 2023-12-06
2001_templates_avoid_privacy_breach.patch Avoid potential privacy breaches in templates Jonas Smedegaard <dr@jones.dk> no 2018-06-12
2002_program_package_hint.patch Improve error message when pdf program is missing Jonas Smedegaard <dr@jones.dk> no 2018-09-01

All known versions for source package 'haskell-pandoc'

Links