osc copypac from project:devel:languages:haskell:ghc-9.8.x package:ghc-pandoc revision:5, using keep-link

OBS-URL: https://build.opensuse.org/package/show/devel:languages:haskell/ghc-pandoc?expand=0&rev=28
2024-03-01 19:00:03 +00:00 · 2024-03-01 19:00:03 +00:00 · 5f7a0b72fa
commit 5f7a0b72fa
parent b7b03c962f
7 changed files with 280 additions and 5 deletions
--- a/CVE-2023-35936.patch
+++ b/CVE-2023-35936.patch
@ -0,0 +1,124 @@
+From 5e381e3878b5da87ee7542f7e51c3c1a7fd84b89 Mon Sep 17 00:00:00 2001
+From: John MacFarlane <jgm@berkeley.edu>
+Date: Tue, 20 Jun 2023 13:50:13 -0700
+Subject: [PATCH] Fix a security vulnerability in MediaBag and
+ T.P.Class.IO.writeMedia.
+
+This vulnerability, discovered by Entroy C, allows users to write
+arbitrary files to any location by feeding pandoc a specially crafted
+URL in an image element.  The vulnerability is serious for anyone
+using pandoc to process untrusted input.  The vulnerability does
+not affect pandoc when run with the `--sandbox` flag.
+---
+ src/Text/Pandoc/Class/IO.hs | 14 +++++++-------
+ src/Text/Pandoc/MediaBag.hs | 28 ++++++++++++++++------------
+ 2 files changed, 23 insertions(+), 19 deletions(-)
+
+Index: pandoc-3.1.3/src/Text/Pandoc/Class/IO.hs
+===================================================================
+--- pandoc-3.1.3.orig/src/Text/Pandoc/Class/IO.hs	2001-09-09 01:46:40.000000000 +0000
+++ pandoc-3.1.3/src/Text/Pandoc/Class/IO.hs	2023-07-14 18:39:12.169005026 +0000
+@@ -50,7 +50,7 @@ import Network.HTTP.Client.Internal (add
+ import Network.HTTP.Client.TLS (mkManagerSettings)
+ import Network.HTTP.Types.Header ( hContentType )
+ import Network.Socket (withSocketsDo)
+-import Network.URI (unEscapeString)
+import Network.URI (URI(..), parseURI)
+ import System.Directory (createDirectoryIfMissing)
+ import System.Environment (getEnv)
+ import System.FilePath ((</>), takeDirectory, normalise)
+@@ -122,11 +122,11 @@ newUniqueHash = hashUnique <$> liftIO Da
+ 
+ openURL :: (PandocMonad m, MonadIO m) => Text -> m (B.ByteString, Maybe MimeType)
+ openURL u
+- | Just u'' <- T.stripPrefix "data:" u = do
+-     let mime     = T.takeWhile (/=',') u''
+-     let contents = UTF8.fromString $
+-                     unEscapeString $ T.unpack $ T.drop 1 $ T.dropWhile (/=',') u''
+-     return (decodeBase64Lenient contents, Just mime)
+ | Just (URI{ uriScheme = "data:",
+              uriPath = upath }) <- parseURI (T.unpack u) = do
+     let (mime, rest) = break (== '.') upath
+     let contents = UTF8.fromString $ drop 1 rest
+     return (decodeBase64Lenient contents, Just (T.pack mime))
+  | otherwise = do
+      let toReqHeader (n, v) = (CI.mk (UTF8.fromText n), UTF8.fromText v)
+      customHeaders <- map toReqHeader <$> getsCommonState stRequestHeaders
+@@ -224,7 +224,7 @@ writeMedia :: (PandocMonad m, MonadIO m)
+            -> m ()
+ writeMedia dir (fp, _mt, bs) = do
+   -- we normalize to get proper path separators for the platform
+-  let fullpath = normalise $ dir </> unEscapeString fp
+  let fullpath = normalise $ dir </> fp
+   liftIOError (createDirectoryIfMissing True) (takeDirectory fullpath)
+   logIOError $ BL.writeFile fullpath bs
+ 
+Index: pandoc-3.1.3/src/Text/Pandoc/MediaBag.hs
+===================================================================
+--- pandoc-3.1.3.orig/src/Text/Pandoc/MediaBag.hs	2001-09-09 01:46:40.000000000 +0000
+++ pandoc-3.1.3/src/Text/Pandoc/MediaBag.hs	2023-07-14 18:39:12.170005139 +0000
+@@ -28,6 +28,7 @@ import Data.Data (Data)
+ import qualified Data.Map as M
+ import Data.Maybe (fromMaybe, isNothing)
+ import Data.Typeable (Typeable)
+import Network.URI (unEscapeString)
+ import System.FilePath
+ import qualified System.FilePath.Posix as Posix
+ import qualified System.FilePath.Windows as Windows
+@@ -35,7 +36,7 @@ import Text.Pandoc.MIME (MimeType, getMi
+ import Data.Text (Text)
+ import qualified Data.Text as T
+ import Data.Digest.Pure.SHA (sha1, showDigest)
+-import Network.URI (URI (..), parseURI)
+import Network.URI (URI (..), parseURI, isURI)
+ 
+ data MediaItem =
+   MediaItem
+@@ -54,9 +55,12 @@ newtype MediaBag = MediaBag (M.Map Text
+ instance Show MediaBag where
+   show bag = "MediaBag " ++ show (mediaDirectory bag)
+ 
+--- | We represent paths with /, in normalized form.
+-- | We represent paths with /, in normalized form.  Percent-encoding
+-- is resolved.
+ canonicalize :: FilePath -> Text
+-canonicalize = T.replace "\\" "/" . T.pack . normalise
+canonicalize fp
+  | isURI fp = T.pack fp
+  | otherwise = T.replace "\\" "/" . T.pack . normalise . unEscapeString $ fp
+ 
+ -- | Delete a media item from a 'MediaBag', or do nothing if no item corresponds
+ -- to the given path.
+@@ -79,23 +83,23 @@ insertMedia fp mbMime contents (MediaBag
+                              , mediaContents = contents
+                              , mediaMimeType = mt }
+         fp' = canonicalize fp
+        fp'' = T.unpack fp'
+         uri = parseURI fp
+-        newpath = if Posix.isRelative fp
+-                       && Windows.isRelative fp
+        newpath = if Posix.isRelative fp''
+                       && Windows.isRelative fp''
+                        && isNothing uri
+-                       && ".." `notElem` splitDirectories fp
+-                     then T.unpack fp'
+                       && not (".." `T.isInfixOf` fp')
+                     then fp''
+                      else showDigest (sha1 contents) <> "." <> ext
+-        fallback = case takeExtension fp of
+-                        ".gz" -> getMimeTypeDef $ dropExtension fp
+-                        _     -> getMimeTypeDef fp
+        fallback = case takeExtension fp'' of
+                        ".gz" -> getMimeTypeDef $ dropExtension fp''
+                        _     -> getMimeTypeDef fp''
+         mt = fromMaybe fallback mbMime
+-        path = maybe fp uriPath uri
+        path = maybe fp'' (unEscapeString . uriPath) uri
+         ext = case takeExtension path of
+                 '.':e -> e
+                 _ -> maybe "" T.unpack $ extensionFromMimeType mt
+ 
+-
+ -- | Lookup a media item in a 'MediaBag', returning mime type and contents.
+ lookupMedia :: FilePath
+             -> MediaBag
--- a/CVE-2023-38745.patch
+++ b/CVE-2023-38745.patch
@ -0,0 +1,68 @@
+From eddedbfc14916aa06fc01ff04b38aeb30ae2e625 Mon Sep 17 00:00:00 2001
+From: John MacFarlane <jgm@berkeley.edu>
+Date: Thu, 20 Jul 2023 09:26:38 -0700
+Subject: [PATCH] Fix new variant of the vulnerability in CVE-2023-35936.
+
+Guilhem Moulin noticed that the fix to CVE-2023-35936 was incomplete.
+An attacker could get around it by double-encoding the malicious
+extension to create or override arbitrary files.
+
+    $ echo '![](data://image/png;base64,cHJpbnQgImhlbGxvIgo=;.lua+%252f%252e%252e%252f%252e%252e%252fb%252elua)' >b.md
+    $ .cabal/bin/pandoc b.md --extract-media=bar
+    <p><img
+    src="bar/2a0eaa89f43fada3e6c577beea4f2f8f53ab6a1d.lua+%2f%2e%2e%2f%2e%2e%2fb%2elua" /></p>
+    $ cat b.lua
+    print "hello"
+    $ find bar
+    bar/
+    bar/2a0eaa89f43fada3e6c577beea4f2f8f53ab6a1d.lua+
+
+This commit adds a test case for this more complex attack and fixes
+the vulnerability.  (The fix is quite simple: if the URL-unescaped
+filename or extension contains a '%', we just use the sha1 hash of the
+contents as the canonical name, just as we do if the filename contains
+'..'.)
+---
+ src/Text/Pandoc/Class/IO.hs |  2 ++
+ src/Text/Pandoc/MediaBag.hs |  7 ++++---
+ test/Tests/MediaBag.hs      | 12 +++++++++++-
+ 3 files changed, 17 insertions(+), 4 deletions(-)
+
+Index: pandoc-3.1.3/src/Text/Pandoc/Class/IO.hs
+===================================================================
+--- pandoc-3.1.3.orig/src/Text/Pandoc/Class/IO.hs	2023-09-21 09:24:23.311539088 +0000
+++ pandoc-3.1.3/src/Text/Pandoc/Class/IO.hs	2023-09-21 09:27:24.005959930 +0000
+@@ -224,6 +224,8 @@ writeMedia :: (PandocMonad m, MonadIO m)
+            -> m ()
+ writeMedia dir (fp, _mt, bs) = do
+   -- we normalize to get proper path separators for the platform
+  -- we unescape URI encoding, but given how insertMedia
+  -- is written, we shouldn't have any % in a canonical media name...
+   let fullpath = normalise $ dir </> fp
+   liftIOError (createDirectoryIfMissing True) (takeDirectory fullpath)
+   logIOError $ BL.writeFile fullpath bs
+Index: pandoc-3.1.3/src/Text/Pandoc/MediaBag.hs
+===================================================================
+--- pandoc-3.1.3.orig/src/Text/Pandoc/MediaBag.hs	2023-09-21 09:24:23.311539088 +0000
+++ pandoc-3.1.3/src/Text/Pandoc/MediaBag.hs	2023-09-21 09:27:24.006959920 +0000
+@@ -89,16 +89,17 @@ insertMedia fp mbMime contents (MediaBag
+                        && Windows.isRelative fp''
+                        && isNothing uri
+                        && not (".." `T.isInfixOf` fp')
+                       && '%' `notElem` fp''
+                      then fp''
+-                     else showDigest (sha1 contents) <> "." <> ext
+                     else showDigest (sha1 contents) <> ext
+         fallback = case takeExtension fp'' of
+                         ".gz" -> getMimeTypeDef $ dropExtension fp''
+                         _     -> getMimeTypeDef fp''
+         mt = fromMaybe fallback mbMime
+         path = maybe fp'' (unEscapeString . uriPath) uri
+         ext = case takeExtension path of
+-                '.':e -> e
+-                _ -> maybe "" T.unpack $ extensionFromMimeType mt
+                '.':e | '%' `notElem` e -> '.':e
+                _ -> maybe "" (\x -> '.':T.unpack x) $ extensionFromMimeType mt
+ 
+ -- | Lookup a media item in a 'MediaBag', returning mime type and contents.
+ lookupMedia :: FilePath
--- a/14
+++ b/14
@ -5,9 +5,21 @@
      <size unit="G">7</size>
    </disk>
    <memory>
-      <size unit="M">3500</size>
+      <size unit="M">11000</size>
    </memory>
    <processors>8</processors>
    <jobs>8</jobs>
  </hardware>
+  <overwrite>
+    <conditions>
+      <arch>armv6l</arch>
+      <arch>armv7l</arch>
+      <arch>i586</arch>
+    </conditions>
+    <hardware>
+      <memory>
+        <size unit="M">3000</size>
+      </memory>
+    </hardware>
+  </overwrite>
 </constraints>
--- a/ghc-pandoc.changes
+++ b/ghc-pandoc.changes
@ -1,3 +1,70 @@
+-------------------------------------------------------------------
+Fri Mar  1 05:49:26 UTC 2024 - Peter Simons <psimons@suse.com>
+
+- Update pandoc to version 3.1.12.2.
+  ## pandoc 3.1.12.2 (2024-02-29)
+
+    * Docx reader:
+
+      + Ensure that table captions are counted (#9518).
+      + Detect caption by style name not id (#9518).
+        The styleId can change depending on the localization.
+      + Avoid emitting empty paragraph where caption was.
+
+    * Markdown reader: fix regression in link parsing with wikilinks extensions
+      (#9481).  This fixes a regression introduced in 3.1.12.
+
+    * Org reader/writer: support admonitions (#9475).
+
+    * Org writer: omit extra blank line at end of quote block.
+
+    * Typst writer: ensure that `-`, `+`, etc. are escaped at beginning of block
+      (#9478). Our recent relaxing of escaping (#9386) caused problems for
+      things like emphasized `-` characters that were rendered using
+      `#strong[-]#`.  This now gets rendered as `#strong[\-]`.
+
+    * LaTeX writer: fix bug when a language is specified in two different ways
+      (#9472). If you used `lang: de-DE` but then had a span or div with
+      `lang=de`, the preamble would try to load `ngerman` twice, leading
+      to an error. This fix ensures that a language is only loaded once.
+
+    * Docx writer: Don't copy over `footnotePr` in `settings.xml`
+      from reference.docx (#9522).
+
+    * EPUB writer: omit EPUB2-specific meta tag on EPUB3 (#9493).
+      This caused a validation failure in epubs with cover images.
+
+    * Lua: avoid crashing when an error message is not valid UTF-8 (Albert
+      Krewinkel).
+
+    * Text.Pandoc.SelfContained:
+
+      + Add `role="img"` to svgs.
+      + Add `aria-label` to svg elements with `alt` text if present.
+        Screen readers ignore `alt` attributes on svg elements but do
+        pay attention to `aria-label` (#9525).
+
+    * Text.Pandoc.Shared: Fix regression in section numbering in
+      `makeSections` (#9516). Starting with pandoc 3.1.12, unnumbered
+      sections incremented the section number.
+
+    * Text.Pandoc.Class: fix `openUrl` TLS negotiation (#9483).
+      With the release of TLS 2.0.0, the TLS library started requiring
+      Extended Main Secret for the TLS handshake. This caused problems
+      connecting to zotero's server and others that do not support TLS 1.3.
+      This commit relaxes this requirement.
+
+    * Depend on djot 0.1.1.0 (fixes rendering on multiline block attributes).
+
+    * Use new releases of skylighting-format-blaze-html (#9520).
+      Fixes auto-wrapping of long source lines in HTML print media.
+
+    * Use new commonmark-extensions (fixes issue with the
+      `rebase_relative_paths` extension when used with commonmark/gfm.
+
+    * Makefile: improve epub-validation target (#9493).
+      Use `--epub-cover-image` to catch issues that only arise with that.
+
 -------------------------------------------------------------------
 Fri Feb 23 20:37:25 UTC 2024 - Andreas Schwab <schwab@suse.de>

--- a/ghc-pandoc.spec
+++ b/ghc-pandoc.spec
@ -20,7 +20,7 @@
 %global pkgver %{pkg_name}-%{version}
 %bcond_with tests
 Name:           ghc-%{pkg_name}
-Version:        3.1.12.1
+Version:        3.1.12.2
 Release:        0
 Summary:        Conversion between markup formats
 License:        GPL-2.0-or-later
@ -67,6 +67,8 @@ BuildRequires:  ghc-containers-devel
 BuildRequires:  ghc-containers-prof
 BuildRequires:  ghc-crypton-connection-devel
 BuildRequires:  ghc-crypton-connection-prof
+BuildRequires:  ghc-crypton-x509-system-devel
+BuildRequires:  ghc-crypton-x509-system-prof
 BuildRequires:  ghc-data-default-devel
 BuildRequires:  ghc-data-default-prof
 BuildRequires:  ghc-deepseq-devel
@ -146,6 +148,8 @@ BuildRequires:  ghc-text-devel
 BuildRequires:  ghc-text-prof
 BuildRequires:  ghc-time-devel
 BuildRequires:  ghc-time-prof
+BuildRequires:  ghc-tls-devel
+BuildRequires:  ghc-tls-prof
 BuildRequires:  ghc-typst-devel
 BuildRequires:  ghc-typst-prof
 BuildRequires:  ghc-unicode-collation-devel
--- a/pandoc-3.1.12.1.tar.gz
+++ b/pandoc-3.1.12.1.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:57efd39269141ed066803967b605fba3b4fd9c0f0fc31edccb186fbda1683bbc
-size 7363985
--- a/pandoc-3.1.12.2.tar.gz
+++ b/pandoc-3.1.12.2.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:fa1e2353c36d6209d9ac9434636fdca8c0a27720c9d2fa5594d31dfbeed83e52
+size 7365367