-------------------------------------------------------------------------
Debian LTS Advisory DLA-3507-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Guilhem Moulin
July 25, 2023 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : pandoc
Version : 2.2.1-3+deb10u1
CVE ID : CVE-2023-35936 CVE-2023-38745
Debian Bug : 1041976
Arbitrary file write vulnerabilities were discovered in pandoc, an
Haskell library and CLI tool for converting from one markup format to
another. These vulnerabilities can be triggered by providing a
specially crafted image element in the input when generating files using
the `--extract-media` option or outputting to PDF format, and allow an
attacker to create or overwrite arbitrary files on the system (depending
on the privileges of the process running pandoc).
CVE-2023-35936
Entroy C discovered that appending percent-encoded directory
components to the end of malicious data: URI, an attacker could
trick pandoc into creating or or overwriting arbitrary files on the
system.
CVE-2023-38745
I discovered that the upstream fix for CVE-2023-35936 was
incomplete, namely that the vulnerability remained when encoding '%'
characters as '%25'.
For Debian 10 buster, these problems have been fixed in version
2.2.1-3+deb10u1.
We recommend that you upgrade your pandoc packages.
For the detailed security status of pandoc please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/pandoc
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
Attachment:
signature.asc
Description: PGP signature