Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
---|---|---|---|---|---|---|
020200417~a9ef15b.patch | revert dependency on base-noprelude | John MacFarlane <jgm@berkeley.edu> | yes | upstream | upstream, https://github.com/jgm/pandoc/commit/a9ef15b | 2020-08-23 |
2001_templates_avoid_privacy_breach.patch | Avoid potential privacy breaches in templates | Jonas Smedegaard <dr@jones.dk> | no | 2023-07-21 | ||
2002_program_package_hint.patch | Improve error message when pdf program is missing | Jonas Smedegaard <dr@jones.dk> | no | 2018-09-01 | ||
Adjust-tests.patch | Use latest skylighting. This adds `aria-hidden="true"` to the empty a elements, which helps people who use screen readers. |
John MacFarlane <jgm@berkeley.edu> | no | https://github.com/jgm/pandoc/commit/112e98def6baf3433e99fbaa3e7280cad16f5422 | 2020-05-12 | |
CVE-2023-35936.patch | Fix a security vulnerability in MediaBag and T.P.Class.IO.writeMedia. This vulnerability, discovered by Entroy C, allows users to write arbitrary files to any location by feeding pandoc a specially crafted URL in an image element. The vulnerability is serious for anyone using pandoc to process untrusted input. |
John MacFarlane <jgm@berkeley.edu> | yes | debian upstream | https://github.com/jgm/pandoc/commit/5246f02f0bb9c176a6d2f6e3d0c03407d8a67445 | 2023-06-20 |
CVE-2023-38745.patch | Fix new variant of the vulnerability in CVE-2023-35936. Guilhem Moulin noticed that the fix to CVE-2023-35936 was incomplete. An attacker could get around it by double-encoding the malicious extension to create or override arbitrary files. $ echo '![](data://image/png;base64,cHJpbnQgImhlbGxvIgo=;.lua+%252f%252e%252e%252f%252e%252e%252fb%252elua)' >b.md $ .cabal/bin/pandoc b.md --extract-media=bar <p><img src="bar/2a0eaa89f43fada3e6c577beea4f2f8f53ab6a1d.lua+%2f%2e%2e%2f%2e%2e%2fb%2elua" /></p> $ cat b.lua print "hello" $ find bar bar/ bar/2a0eaa89f43fada3e6c577beea4f2f8f53ab6a1d.lua+ This commit adds a test case for this more complex attack and fixes the vulnerability. |
John MacFarlane <jgm@berkeley.edu> | no | debian | https://github.com/jgm/pandoc/commit/eddedbfc14916aa06fc01ff04b38aeb30ae2e625 | 2023-07-20 |