pool/ghc-pandoc
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

osc copypac from project:devel:languages:haskell:ghc-9.8.x package:ghc-pandoc revision:5, using keep-link

Browse Source 
OBS-URL: https://build.opensuse.org/package/show/devel:languages:haskell/ghc-pandoc?expand=0&rev=28
This commit is contained in:
Peter Simons 2024-03-01 19:00:03 +00:00 committed by Git OBS Bridge
parent b7b03c962f
commit 5f7a0b72fa
7 changed files with 280 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

124
CVE-2023-35936.patch Normal file
View File

@ -0,0 +1,124 @@
From 5e381e3878b5da87ee7542f7e51c3c1a7fd84b89 Mon Sep 17 00:00:00 2001
From: John MacFarlane <jgm@berkeley.edu>
Date: Tue, 20 Jun 2023 13:50:13 -0700
Subject: [PATCH] Fix a security vulnerability in MediaBag and
T.P.Class.IO.writeMedia.
This vulnerability, discovered by Entroy C, allows users to write
arbitrary files to any location by feeding pandoc a specially crafted
URL in an image element. The vulnerability is serious for anyone
using pandoc to process untrusted input. The vulnerability does
not affect pandoc when run with the `--sandbox` flag.
---
src/Text/Pandoc/Class/IO.hs | 14 +++++++-------
src/Text/Pandoc/MediaBag.hs | 28 ++++++++++++++++------------
2 files changed, 23 insertions(+), 19 deletions(-)
Index: pandoc-3.1.3/src/Text/Pandoc/Class/IO.hs
===================================================================
--- pandoc-3.1.3.orig/src/Text/Pandoc/Class/IO.hs 2001-09-09 01:46:40.000000000 +0000
+++ pandoc-3.1.3/src/Text/Pandoc/Class/IO.hs 2023-07-14 18:39:12.169005026 +0000
@@ -50,7 +50,7 @@ import Network.HTTP.Client.Internal (add
import Network.HTTP.Client.TLS (mkManagerSettings)
import Network.HTTP.Types.Header ( hContentType )
import Network.Socket (withSocketsDo)
-import Network.URI (unEscapeString)
+import Network.URI (URI(..), parseURI)
import System.Directory (createDirectoryIfMissing)
import System.Environment (getEnv)
import System.FilePath ((</>), takeDirectory, normalise)
@@ -122,11 +122,11 @@ newUniqueHash = hashUnique <$> liftIO Da
openURL :: (PandocMonad m, MonadIO m) => Text -> m (B.ByteString, Maybe MimeType)
openURL u
- | Just u'' <- T.stripPrefix "data:" u = do
- let mime = T.takeWhile (/=',') u''
- let contents = UTF8.fromString $
- unEscapeString $ T.unpack $ T.drop 1 $ T.dropWhile (/=',') u''
- return (decodeBase64Lenient contents, Just mime)
+ | Just (URI{ uriScheme = "data:",
+ uriPath = upath }) <- parseURI (T.unpack u) = do
+ let (mime, rest) = break (== '.') upath
+ let contents = UTF8.fromString $ drop 1 rest
+ return (decodeBase64Lenient contents, Just (T.pack mime))
| otherwise = do
let toReqHeader (n, v) = (CI.mk (UTF8.fromText n), UTF8.fromText v)
customHeaders <- map toReqHeader <$> getsCommonState stRequestHeaders
@@ -224,7 +224,7 @@ writeMedia :: (PandocMonad m, MonadIO m)
-> m ()
writeMedia dir (fp, _mt, bs) = do
-- we normalize to get proper path separators for the platform
- let fullpath = normalise $ dir </> unEscapeString fp
+ let fullpath = normalise $ dir </> fp
liftIOError (createDirectoryIfMissing True) (takeDirectory fullpath)
logIOError $ BL.writeFile fullpath bs
Index: pandoc-3.1.3/src/Text/Pandoc/MediaBag.hs
===================================================================
--- pandoc-3.1.3.orig/src/Text/Pandoc/MediaBag.hs 2001-09-09 01:46:40.000000000 +0000
+++ pandoc-3.1.3/src/Text/Pandoc/MediaBag.hs 2023-07-14 18:39:12.170005139 +0000
@@ -28,6 +28,7 @@ import Data.Data (Data)
import qualified Data.Map as M
import Data.Maybe (fromMaybe, isNothing)
import Data.Typeable (Typeable)
+import Network.URI (unEscapeString)
import System.FilePath
import qualified System.FilePath.Posix as Posix
import qualified System.FilePath.Windows as Windows
@@ -35,7 +36,7 @@ import Text.Pandoc.MIME (MimeType, getMi
import Data.Text (Text)
import qualified Data.Text as T
import Data.Digest.Pure.SHA (sha1, showDigest)
-import Network.URI (URI (..), parseURI)
+import Network.URI (URI (..), parseURI, isURI)
data MediaItem =
MediaItem
@@ -54,9 +55,12 @@ newtype MediaBag = MediaBag (M.Map Text
instance Show MediaBag where
show bag = "MediaBag " ++ show (mediaDirectory bag)
--- | We represent paths with /, in normalized form.
+-- | We represent paths with /, in normalized form. Percent-encoding
+-- is resolved.
canonicalize :: FilePath -> Text
-canonicalize = T.replace "\\" "/" . T.pack . normalise
+canonicalize fp
+ | isURI fp = T.pack fp
+ | otherwise = T.replace "\\" "/" . T.pack . normalise . unEscapeString $ fp
-- | Delete a media item from a 'MediaBag', or do nothing if no item corresponds
-- to the given path.
@@ -79,23 +83,23 @@ insertMedia fp mbMime contents (MediaBag
, mediaContents = contents
, mediaMimeType = mt }
fp' = canonicalize fp
+ fp'' = T.unpack fp'
uri = parseURI fp
- newpath = if Posix.isRelative fp
- && Windows.isRelative fp
+ newpath = if Posix.isRelative fp''
+ && Windows.isRelative fp''
&& isNothing uri
- && ".." `notElem` splitDirectories fp
- then T.unpack fp'
+ && not (".." `T.isInfixOf` fp')
+ then fp''
else showDigest (sha1 contents) <> "." <> ext
- fallback = case takeExtension fp of
- ".gz" -> getMimeTypeDef $ dropExtension fp
- _ -> getMimeTypeDef fp
+ fallback = case takeExtension fp'' of
+ ".gz" -> getMimeTypeDef $ dropExtension fp''
+ _ -> getMimeTypeDef fp''
mt = fromMaybe fallback mbMime
- path = maybe fp uriPath uri
+ path = maybe fp'' (unEscapeString . uriPath) uri
ext = case takeExtension path of
'.':e -> e
_ -> maybe "" T.unpack $ extensionFromMimeType mt
-
-- | Lookup a media item in a 'MediaBag', returning mime type and contents.
lookupMedia :: FilePath
-> MediaBag

68
CVE-2023-38745.patch Normal file
View File

@ -0,0 +1,68 @@
From eddedbfc14916aa06fc01ff04b38aeb30ae2e625 Mon Sep 17 00:00:00 2001
From: John MacFarlane <jgm@berkeley.edu>
Date: Thu, 20 Jul 2023 09:26:38 -0700
Subject: [PATCH] Fix new variant of the vulnerability in CVE-2023-35936.
Guilhem Moulin noticed that the fix to CVE-2023-35936 was incomplete.
An attacker could get around it by double-encoding the malicious
extension to create or override arbitrary files.
$ echo '![](data://image/png;base64,cHJpbnQgImhlbGxvIgo=;.lua+%252f%252e%252e%252f%252e%252e%252fb%252elua)' >b.md
$ .cabal/bin/pandoc b.md --extract-media=bar
<p><img
src="bar/2a0eaa89f43fada3e6c577beea4f2f8f53ab6a1d.lua+%2f%2e%2e%2f%2e%2e%2fb%2elua" /></p>
$ cat b.lua
print "hello"
$ find bar
bar/
bar/2a0eaa89f43fada3e6c577beea4f2f8f53ab6a1d.lua+
This commit adds a test case for this more complex attack and fixes
the vulnerability. (The fix is quite simple: if the URL-unescaped
filename or extension contains a '%', we just use the sha1 hash of the
contents as the canonical name, just as we do if the filename contains
'..'.)
---
src/Text/Pandoc/Class/IO.hs | 2 ++
src/Text/Pandoc/MediaBag.hs | 7 ++++---
test/Tests/MediaBag.hs | 12 +++++++++++-
3 files changed, 17 insertions(+), 4 deletions(-)
Index: pandoc-3.1.3/src/Text/Pandoc/Class/IO.hs
===================================================================
--- pandoc-3.1.3.orig/src/Text/Pandoc/Class/IO.hs 2023-09-21 09:24:23.311539088 +0000
+++ pandoc-3.1.3/src/Text/Pandoc/Class/IO.hs 2023-09-21 09:27:24.005959930 +0000
@@ -224,6 +224,8 @@ writeMedia :: (PandocMonad m, MonadIO m)
-> m ()
writeMedia dir (fp, _mt, bs) = do
-- we normalize to get proper path separators for the platform
+ -- we unescape URI encoding, but given how insertMedia
+ -- is written, we shouldn't have any % in a canonical media name...
let fullpath = normalise $ dir </> fp
liftIOError (createDirectoryIfMissing True) (takeDirectory fullpath)
logIOError $ BL.writeFile fullpath bs
Index: pandoc-3.1.3/src/Text/Pandoc/MediaBag.hs
===================================================================
--- pandoc-3.1.3.orig/src/Text/Pandoc/MediaBag.hs 2023-09-21 09:24:23.311539088 +0000
+++ pandoc-3.1.3/src/Text/Pandoc/MediaBag.hs 2023-09-21 09:27:24.006959920 +0000
@@ -89,16 +89,17 @@ insertMedia fp mbMime contents (MediaBag
&& Windows.isRelative fp''
&& isNothing uri
&& not (".." `T.isInfixOf` fp')
+ && '%' `notElem` fp''
then fp''
- else showDigest (sha1 contents) <> "." <> ext
+ else showDigest (sha1 contents) <> ext
fallback = case takeExtension fp'' of
".gz" -> getMimeTypeDef $ dropExtension fp''
_ -> getMimeTypeDef fp''
mt = fromMaybe fallback mbMime
path = maybe fp'' (unEscapeString . uriPath) uri
ext = case takeExtension path of
- '.':e -> e
- _ -> maybe "" T.unpack $ extensionFromMimeType mt
+ '.':e | '%' `notElem` e -> '.':e
+ _ -> maybe "" (\x -> '.':T.unpack x) $ extensionFromMimeType mt
-- | Lookup a media item in a 'MediaBag', returning mime type and contents.
lookupMedia :: FilePath

14
_constraints
View File

@ -5,9 +5,21 @@
<size unit="G">7</size> <size unit="G">7</size>
</disk> </disk>
<memory> <memory>
<size unit="M">3500</size> <size unit="M">11000</size>
</memory> </memory>
<processors>8</processors> <processors>8</processors>
<jobs>8</jobs> <jobs>8</jobs>
</hardware> </hardware>
<overwrite>
<conditions>
<arch>armv6l</arch>
<arch>armv7l</arch>
<arch>i586</arch>
</conditions>
<hardware>
<memory>
<size unit="M">3000</size>
</memory>
</hardware>
</overwrite>
</constraints> </constraints>

67
ghc-pandoc.changes
View File

@ -1,3 +1,70 @@
-------------------------------------------------------------------
Fri Mar 1 05:49:26 UTC 2024 - Peter Simons <psimons@suse.com>
- Update pandoc to version 3.1.12.2.
## pandoc 3.1.12.2 (2024-02-29)
* Docx reader:
+ Ensure that table captions are counted (#9518).
+ Detect caption by style name not id (#9518).
The styleId can change depending on the localization.
+ Avoid emitting empty paragraph where caption was.
* Markdown reader: fix regression in link parsing with wikilinks extensions
(#9481). This fixes a regression introduced in 3.1.12.
* Org reader/writer: support admonitions (#9475).
* Org writer: omit extra blank line at end of quote block.
* Typst writer: ensure that `-`, `+`, etc. are escaped at beginning of block
(#9478). Our recent relaxing of escaping (#9386) caused problems for
things like emphasized `-` characters that were rendered using
`#strong[-]#`. This now gets rendered as `#strong[\-]`.
* LaTeX writer: fix bug when a language is specified in two different ways
(#9472). If you used `lang: de-DE` but then had a span or div with
`lang=de`, the preamble would try to load `ngerman` twice, leading
to an error. This fix ensures that a language is only loaded once.
* Docx writer: Don't copy over `footnotePr` in `settings.xml`
from reference.docx (#9522).
* EPUB writer: omit EPUB2-specific meta tag on EPUB3 (#9493).
This caused a validation failure in epubs with cover images.
* Lua: avoid crashing when an error message is not valid UTF-8 (Albert
Krewinkel).
* Text.Pandoc.SelfContained:
+ Add `role="img"` to svgs.
+ Add `aria-label` to svg elements with `alt` text if present.
Screen readers ignore `alt` attributes on svg elements but do
pay attention to `aria-label` (#9525).
* Text.Pandoc.Shared: Fix regression in section numbering in
`makeSections` (#9516). Starting with pandoc 3.1.12, unnumbered
sections incremented the section number.
* Text.Pandoc.Class: fix `openUrl` TLS negotiation (#9483).
With the release of TLS 2.0.0, the TLS library started requiring
Extended Main Secret for the TLS handshake. This caused problems
connecting to zotero's server and others that do not support TLS 1.3.
This commit relaxes this requirement.
* Depend on djot 0.1.1.0 (fixes rendering on multiline block attributes).
* Use new releases of skylighting-format-blaze-html (#9520).
Fixes auto-wrapping of long source lines in HTML print media.
* Use new commonmark-extensions (fixes issue with the
`rebase_relative_paths` extension when used with commonmark/gfm.
* Makefile: improve epub-validation target (#9493).
Use `--epub-cover-image` to catch issues that only arise with that.
------------------------------------------------------------------- -------------------------------------------------------------------
Fri Feb 23 20:37:25 UTC 2024 - Andreas Schwab <schwab@suse.de> Fri Feb 23 20:37:25 UTC 2024 - Andreas Schwab <schwab@suse.de>

6
ghc-pandoc.spec
View File

@ -20,7 +20,7 @@
%global pkgver %{pkg_name}-%{version} %global pkgver %{pkg_name}-%{version}
%bcond_with tests %bcond_with tests
Name: ghc-%{pkg_name} Name: ghc-%{pkg_name}
Version: 3.1.12.1 Version: 3.1.12.2
Release: 0 Release: 0
Summary: Conversion between markup formats Summary: Conversion between markup formats
License: GPL-2.0-or-later License: GPL-2.0-or-later
@ -67,6 +67,8 @@ BuildRequires: ghc-containers-devel
BuildRequires: ghc-containers-prof BuildRequires: ghc-containers-prof
BuildRequires: ghc-crypton-connection-devel BuildRequires: ghc-crypton-connection-devel
BuildRequires: ghc-crypton-connection-prof BuildRequires: ghc-crypton-connection-prof
BuildRequires: ghc-crypton-x509-system-devel
BuildRequires: ghc-crypton-x509-system-prof
BuildRequires: ghc-data-default-devel BuildRequires: ghc-data-default-devel
BuildRequires: ghc-data-default-prof BuildRequires: ghc-data-default-prof
BuildRequires: ghc-deepseq-devel BuildRequires: ghc-deepseq-devel
@ -146,6 +148,8 @@ BuildRequires: ghc-text-devel
BuildRequires: ghc-text-prof BuildRequires: ghc-text-prof
BuildRequires: ghc-time-devel BuildRequires: ghc-time-devel
BuildRequires: ghc-time-prof BuildRequires: ghc-time-prof
BuildRequires: ghc-tls-devel
BuildRequires: ghc-tls-prof
BuildRequires: ghc-typst-devel BuildRequires: ghc-typst-devel
BuildRequires: ghc-typst-prof BuildRequires: ghc-typst-prof
BuildRequires: ghc-unicode-collation-devel BuildRequires: ghc-unicode-collation-devel

3
pandoc-3.1.12.1.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:57efd39269141ed066803967b605fba3b4fd9c0f0fc31edccb186fbda1683bbc
size 7363985

3
pandoc-3.1.12.2.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:fa1e2353c36d6209d9ac9434636fdca8c0a27720c9d2fa5594d31dfbeed83e52
size 7365367