From 106454fb58ee0890039ec208c622e1988df01f5c461d73d73f8f4e37cad637c0 Mon Sep 17 00:00:00 2001
From: Peter Simons <peter.simons@suse.com>
Date: Sat, 15 Jul 2023 21:01:19 +0000
Subject: [PATCH] osc copypac from project:devel:languages:haskell:ghc-9.4.x
 package:ghc-pandoc revision:25, using keep-link

OBS-URL: https://build.opensuse.org/package/show/devel:languages:haskell/ghc-pandoc?expand=0&rev=15
---
 CVE-2023-35936.patch | 124 +++++++++++++++++++++++++++++++++++++++++++
 ghc-pandoc.changes   |   7 +++
 ghc-pandoc.spec      |   3 +-
 3 files changed, 133 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2023-35936.patch

diff --git a/CVE-2023-35936.patch b/CVE-2023-35936.patch
new file mode 100644
index 0000000..ae6b655
--- /dev/null
+++ b/CVE-2023-35936.patch
@@ -0,0 +1,124 @@
+From 5e381e3878b5da87ee7542f7e51c3c1a7fd84b89 Mon Sep 17 00:00:00 2001
+From: John MacFarlane <jgm@berkeley.edu>
+Date: Tue, 20 Jun 2023 13:50:13 -0700
+Subject: [PATCH] Fix a security vulnerability in MediaBag and
+ T.P.Class.IO.writeMedia.
+
+This vulnerability, discovered by Entroy C, allows users to write
+arbitrary files to any location by feeding pandoc a specially crafted
+URL in an image element.  The vulnerability is serious for anyone
+using pandoc to process untrusted input.  The vulnerability does
+not affect pandoc when run with the `--sandbox` flag.
+---
+ src/Text/Pandoc/Class/IO.hs | 14 +++++++-------
+ src/Text/Pandoc/MediaBag.hs | 28 ++++++++++++++++------------
+ 2 files changed, 23 insertions(+), 19 deletions(-)
+
+Index: pandoc-3.1.3/src/Text/Pandoc/Class/IO.hs
+===================================================================
+--- pandoc-3.1.3.orig/src/Text/Pandoc/Class/IO.hs	2001-09-09 01:46:40.000000000 +0000
++++ pandoc-3.1.3/src/Text/Pandoc/Class/IO.hs	2023-07-14 18:39:12.169005026 +0000
+@@ -50,7 +50,7 @@ import Network.HTTP.Client.Internal (add
+ import Network.HTTP.Client.TLS (mkManagerSettings)
+ import Network.HTTP.Types.Header ( hContentType )
+ import Network.Socket (withSocketsDo)
+-import Network.URI (unEscapeString)
++import Network.URI (URI(..), parseURI)
+ import System.Directory (createDirectoryIfMissing)
+ import System.Environment (getEnv)
+ import System.FilePath ((</>), takeDirectory, normalise)
+@@ -122,11 +122,11 @@ newUniqueHash = hashUnique <$> liftIO Da
+ 
+ openURL :: (PandocMonad m, MonadIO m) => Text -> m (B.ByteString, Maybe MimeType)
+ openURL u
+- | Just u'' <- T.stripPrefix "data:" u = do
+-     let mime     = T.takeWhile (/=',') u''
+-     let contents = UTF8.fromString $
+-                     unEscapeString $ T.unpack $ T.drop 1 $ T.dropWhile (/=',') u''
+-     return (decodeBase64Lenient contents, Just mime)
++ | Just (URI{ uriScheme = "data:",
++              uriPath = upath }) <- parseURI (T.unpack u) = do
++     let (mime, rest) = break (== '.') upath
++     let contents = UTF8.fromString $ drop 1 rest
++     return (decodeBase64Lenient contents, Just (T.pack mime))
+  | otherwise = do
+      let toReqHeader (n, v) = (CI.mk (UTF8.fromText n), UTF8.fromText v)
+      customHeaders <- map toReqHeader <$> getsCommonState stRequestHeaders
+@@ -224,7 +224,7 @@ writeMedia :: (PandocMonad m, MonadIO m)
+            -> m ()
+ writeMedia dir (fp, _mt, bs) = do
+   -- we normalize to get proper path separators for the platform
+-  let fullpath = normalise $ dir </> unEscapeString fp
++  let fullpath = normalise $ dir </> fp
+   liftIOError (createDirectoryIfMissing True) (takeDirectory fullpath)
+   logIOError $ BL.writeFile fullpath bs
+ 
+Index: pandoc-3.1.3/src/Text/Pandoc/MediaBag.hs
+===================================================================
+--- pandoc-3.1.3.orig/src/Text/Pandoc/MediaBag.hs	2001-09-09 01:46:40.000000000 +0000
++++ pandoc-3.1.3/src/Text/Pandoc/MediaBag.hs	2023-07-14 18:39:12.170005139 +0000
+@@ -28,6 +28,7 @@ import Data.Data (Data)
+ import qualified Data.Map as M
+ import Data.Maybe (fromMaybe, isNothing)
+ import Data.Typeable (Typeable)
++import Network.URI (unEscapeString)
+ import System.FilePath
+ import qualified System.FilePath.Posix as Posix
+ import qualified System.FilePath.Windows as Windows
+@@ -35,7 +36,7 @@ import Text.Pandoc.MIME (MimeType, getMi
+ import Data.Text (Text)
+ import qualified Data.Text as T
+ import Data.Digest.Pure.SHA (sha1, showDigest)
+-import Network.URI (URI (..), parseURI)
++import Network.URI (URI (..), parseURI, isURI)
+ 
+ data MediaItem =
+   MediaItem
+@@ -54,9 +55,12 @@ newtype MediaBag = MediaBag (M.Map Text
+ instance Show MediaBag where
+   show bag = "MediaBag " ++ show (mediaDirectory bag)
+ 
+--- | We represent paths with /, in normalized form.
++-- | We represent paths with /, in normalized form.  Percent-encoding
++-- is resolved.
+ canonicalize :: FilePath -> Text
+-canonicalize = T.replace "\\" "/" . T.pack . normalise
++canonicalize fp
++  | isURI fp = T.pack fp
++  | otherwise = T.replace "\\" "/" . T.pack . normalise . unEscapeString $ fp
+ 
+ -- | Delete a media item from a 'MediaBag', or do nothing if no item corresponds
+ -- to the given path.
+@@ -79,23 +83,23 @@ insertMedia fp mbMime contents (MediaBag
+                              , mediaContents = contents
+                              , mediaMimeType = mt }
+         fp' = canonicalize fp
++        fp'' = T.unpack fp'
+         uri = parseURI fp
+-        newpath = if Posix.isRelative fp
+-                       && Windows.isRelative fp
++        newpath = if Posix.isRelative fp''
++                       && Windows.isRelative fp''
+                        && isNothing uri
+-                       && ".." `notElem` splitDirectories fp
+-                     then T.unpack fp'
++                       && not (".." `T.isInfixOf` fp')
++                     then fp''
+                      else showDigest (sha1 contents) <> "." <> ext
+-        fallback = case takeExtension fp of
+-                        ".gz" -> getMimeTypeDef $ dropExtension fp
+-                        _     -> getMimeTypeDef fp
++        fallback = case takeExtension fp'' of
++                        ".gz" -> getMimeTypeDef $ dropExtension fp''
++                        _     -> getMimeTypeDef fp''
+         mt = fromMaybe fallback mbMime
+-        path = maybe fp uriPath uri
++        path = maybe fp'' (unEscapeString . uriPath) uri
+         ext = case takeExtension path of
+                 '.':e -> e
+                 _ -> maybe "" T.unpack $ extensionFromMimeType mt
+ 
+-
+ -- | Lookup a media item in a 'MediaBag', returning mime type and contents.
+ lookupMedia :: FilePath
+             -> MediaBag
diff --git a/ghc-pandoc.changes b/ghc-pandoc.changes
index 16ec33d..ac77616 100644
--- a/ghc-pandoc.changes
+++ b/ghc-pandoc.changes
@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Fri Jul 14 18:45:26 UTC 2023 - Peter Simons <psimons@suse.com>
+
+- Apply "CVE-2023-35936.patch" to fix an arbitrary file write issue
+  that was possible when using PDF output or --extract-media with
+  untrusted input. [bsc#1213066, CVE-2023-35936]
+
 -------------------------------------------------------------------
 Wed Jun  7 04:32:42 UTC 2023 - Peter Simons <psimons@suse.com>
 
diff --git a/ghc-pandoc.spec b/ghc-pandoc.spec
index 88e0470..a9ad27d 100644
--- a/ghc-pandoc.spec
+++ b/ghc-pandoc.spec
@@ -26,6 +26,7 @@ Summary:        Conversion between markup formats
 License:        GPL-2.0-or-later
 URL:            https://hackage.haskell.org/package/%{pkg_name}
 Source0:        https://hackage.haskell.org/package/%{pkg_name}-%{version}/%{pkg_name}-%{version}.tar.gz
+Patch1:         CVE-2023-35936.patch
 BuildRequires:  ghc-Cabal-devel
 BuildRequires:  ghc-Glob-devel
 BuildRequires:  ghc-Glob-prof
@@ -229,7 +230,7 @@ Supplements:    (ghc-%{pkg_name}-devel and ghc-prof)
 This package provides the Haskell %{pkg_name} profiling library.
 
 %prep
-%autosetup -n %{pkg_name}-%{version}
+%autosetup -p1 -n %{pkg_name}-%{version}
 
 %build
 %ghc_lib_build